The fuzzer seems to be
http://lcamtuf.coredump.cx/afl/
And an interesting blog post about it is
http://lcamtuf.blogspot.ca/2014/11/pulling-jpegs-out-of-thin-air.html
<q>American fuzzy lop is a security-oriented fuzzer that employs a
novel type of compile-time instrumentation and genetic algorithms to
automatically discover clean, interesting test cases that trigger new
internal states in the targeted binary.</q>
On Thu, Jan 8, 2015 at 5:29 PM, Richard Hipp <d...@sqlite.org> wrote:
> On 1/8/15, Michal Zalewski <lcam...@coredump.cx> wrote:
>
>> I have been running afl-fuzz against sqlite and bumped in a bunch of
>> bugs that seem to crash the sqlite3 binary
>
> Fixed here: https://www.sqlite.org/src/info/fe578863313128
>
> Bug report for your trophy case:
> https://www.sqlite.org/src/info/a59ae93ee990a55
>
> Nice work. I've never heard of afl-fuzz before, but you can bet I'm
> going to be studying up on it!
>
>
> (but do not seem to be a
>> security problem, other than in the denial-of-service sense). There
>> are four seemingly distinct patterns, with test cases included inline:
>>
>> -- test1.sql --
>> create table t0(t);insert into t0
>> select strftime();
>> -- eof --
>>
>> This one is a failure in:
>>
>> sqlite3DbMallocRaw (db=0x2, n=32) at sqlite3.c:20567
>> 20567 if( db->mallocFailed ){
>>
>> where db looks like something in the vicinity of NULL.
>>
>> #0 sqlite3DbMallocRaw (db=0x2, n=32) at sqlite3.c:20567
>> #1 0x000000000053b17c in sqlite3VdbeMemGrow
>> (pMem=pMem@entry=0xa9f4d8, n=<optimized out>, n@entry=32,
>> bPreserve=bPreserve@entry=0) at sqlite3.c:61789
>> #2 0x000000000057c904 in sqlite3VdbeMemClearAndResize (szNew=32,
>> pMem=0xa9f4d8) at sqlite3.c:61831
>> #3 sqlite3VdbeMemStringify (pMem=0xa9f4d8, enc=<optimized out>,
>> bForce=<optimized out>) at sqlite3.c:61949
>> #4 0x000000000057cf40 in valueToText (pVal=0xa9f4d8, enc=enc@entry=1
>> '\001') at sqlite3.c:62681
>> #5 0x000000000057d166 in sqlite3ValueText (pVal=<optimized out>,
>> enc=1 '\001') at sqlite3.c:62714
>> #6 0x0000000000598fcd in sqlite3_value_text (pVal=<optimized out>) at
>> sqlite3.c:67471
>> #7 strftimeFunc (context=0x7fffffffca90, argc=0, argv=0xa9f358) at
>> sqlite3.c:15657
>>
>> -- test2.sql --
>> DETACH(select group_concat(q));
>> -- eof --
>>
>> That one looks like a distinct NULL ptr deref:
>>
>> exprSrcCount (pWalker=<optimized out>, pExpr=0xa9eec8) at sqlite3.c:84694
>> 84694 for(i=0; i<pSrc->nSrc; i++){
>>
>> #0 exprSrcCount (pWalker=<optimized out>, pExpr=0xa9eec8) at
>> sqlite3.c:84694
>> #1 0x00000000004fb86f in sqlite3WalkExpr (pWalker=0x7fffffffc400,
>> pExpr=0xa9eec8) at sqlite3.c:79072
>> #2 0x000000000069193f in sqlite3WalkExprList (p=<optimized out>,
>> pWalker=0x7fffffffc400) at sqlite3.c:79095
>> #3 sqlite3FunctionUsesThisSrc (pExpr=0xa9ed48, pSrcList=0x0) at
>> sqlite3.c:19186
>> #4 resolveExprStep (pWalker=pWalker@entry=0x7fffffffc480,
>> pExpr=pExpr@entry=0xa9ed48) at sqlite3.c:14402
>> #5 0x0000000000692bcb in sqlite3WalkExpr (pExpr=0xa9ed48,
>> pWalker=0x7fffffffc480) at sqlite3.c:79072
>> #6 sqlite3ResolveExprNames (pNC=0x7fffffffc550, pExpr=0xa9ed48) at
>> sqlite3.c:15026
>> #7 0x0000000000694b2b in resolveSelectStep (pWalker=<optimized out>,
>> p=<optimized out>) at sqlite3.c:80402
>> ...
>>
>> -- test3.sql --
>> select(select strftime());
>> -- eof --
>>
>> Faults in:
>>
>> sqlite3ValueText (pVal=0x1, enc=1 '\001') at sqlite3.c:62708
>> 62708 if( (pVal->flags&(MEM_Str|MEM_Term))==(MEM_Str|MEM_Term) &&
>> pVal->enc==enc ){
>>
>> #0 sqlite3ValueText (pVal=0x1, enc=1 '\001') at sqlite3.c:62708
>> #1 0x0000000000598fcd in sqlite3_value_text (pVal=<optimized out>) at
>> sqlite3.c:67471
>> #2 strftimeFunc (context=0x7fffffffca90, argc=0, argv=0xaa02d8) at
>> sqlite3.c:15657
>> #3 0x00000000007883fb in sqlite3VdbeExec (p=0xa8d5a8) at sqlite3.c:70606
>> #4 0x00000000007aaf11 in sqlite3Step (p=0xaa0018) at sqlite3.c:67809
>> #5 sqlite3_step (pStmt=<optimized out>) at sqlite3.c:2339
>> #6 0x0000000000425228 in shell_exec (db=0xa8d5a8,
>> zSql=zSql@entry=0xa8d510 "select(select strftime());",
>> pArg=pArg@entry=0x7fffffffcf50,
>> pzErrMsg=pzErrMsg@entry=0x7fffffffce68, xCallback=0x41dd80
>> <shell_callback>)
>> at shell.c:1365
>> #7 0x000000000042a933 in process_input (p=p@entry=0x7fffffffcf50,
>> in=0x7ffff7565640 <_IO_2_1_stdin_>) at shell.c:3697
>>
>> -- test4.sql --
>> select n()AND+#00;
>> -- eof --
>>
>> This dies for me at:
>>
>> #0 sqlite3ExprIsInteger (p=p@entry=0xa9edb8,
>> pValue=pValue@entry=0x7fffffffc9a4) at sqlite3.c:16463
>> #1 0x00000000004f3aed in sqlite3ExprIsInteger (pValue=0x7fffffffc9a4,
>> p=0xa9edb8) at sqlite3.c:81085
>> #2 exprAlwaysFalse (p=0xa9edb8) at sqlite3.c:15665
>> #3 sqlite3ExprAnd (db=0xa8d598, pLeft=0xa9eeb8, pRight=0xa9edb8) at
>> sqlite3.c:15682
>> #4 0x0000000000687b86 in sqlite3PExpr (pParse=0xa9f0c8, op=72,
>> pLeft=0xa9eeb8, pRight=0xa9edb8, pToken=0x0)
>> at sqlite3.c:81167
>> #5 0x0000000000752a7c in spanBinaryExpr (pLeft=<optimized out>,
>> pLeft=<optimized out>, pRight=<optimized out>,
>> pRight=<optimized out>, op=<optimized out>, pParse=<optimized
>> out>, pOut=<optimized out>) at sqlite3.c:120313
>> #6 yy_reduce (yyruleno=<optimized out>, yypParser=<optimized out>) at
>> sqlite3.c:57482
>> #7 sqlite3Parser (yyp=0xa9f368, yymajor=-13916, yyminor=...,
>> pParse=0x3d5, pParse@entry=0xa9f0c8) at sqlite3.c:58144
>>
>> /mz
>> _______________________________________________
>> sqlite-users mailing list
>> sqlite-users@sqlite.org
>> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>>
>
>
> --
> D. Richard Hipp
> d...@sqlite.org
> _______________________________________________
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
--
Andreas Kupries
Senior Tcl Developer
Code to Cloud: Smarter, Safer, Fasterâ„¢
F: 778.786.1133
andre...@activestate.com, http://www.activestate.com
Learn about Stackato for Private PaaS: http://www.activestate.com/stackato
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
