On 1/8/15, Michal Zalewski <lcam...@coredump.cx> wrote: > I have been running afl-fuzz against sqlite and bumped in a bunch of > bugs that seem to crash the sqlite3 binary
Fixed here: https://www.sqlite.org/src/info/fe578863313128 Bug report for your trophy case: https://www.sqlite.org/src/info/a59ae93ee990a55 Nice work. I've never heard of afl-fuzz before, but you can bet I'm going to be studying up on it! (but do not seem to be a > security problem, other than in the denial-of-service sense). There > are four seemingly distinct patterns, with test cases included inline: > > -- test1.sql -- > create table t0(t);insert into t0 > select strftime(); > -- eof -- > > This one is a failure in: > > sqlite3DbMallocRaw (db=0x2, n=32) at sqlite3.c:20567 > 20567 if( db->mallocFailed ){ > > where db looks like something in the vicinity of NULL. > > #0 sqlite3DbMallocRaw (db=0x2, n=32) at sqlite3.c:20567 > #1 0x000000000053b17c in sqlite3VdbeMemGrow > (pMem=pMem@entry=0xa9f4d8, n=<optimized out>, n@entry=32, > bPreserve=bPreserve@entry=0) at sqlite3.c:61789 > #2 0x000000000057c904 in sqlite3VdbeMemClearAndResize (szNew=32, > pMem=0xa9f4d8) at sqlite3.c:61831 > #3 sqlite3VdbeMemStringify (pMem=0xa9f4d8, enc=<optimized out>, > bForce=<optimized out>) at sqlite3.c:61949 > #4 0x000000000057cf40 in valueToText (pVal=0xa9f4d8, enc=enc@entry=1 > '\001') at sqlite3.c:62681 > #5 0x000000000057d166 in sqlite3ValueText (pVal=<optimized out>, > enc=1 '\001') at sqlite3.c:62714 > #6 0x0000000000598fcd in sqlite3_value_text (pVal=<optimized out>) at > sqlite3.c:67471 > #7 strftimeFunc (context=0x7fffffffca90, argc=0, argv=0xa9f358) at > sqlite3.c:15657 > > -- test2.sql -- > DETACH(select group_concat(q)); > -- eof -- > > That one looks like a distinct NULL ptr deref: > > exprSrcCount (pWalker=<optimized out>, pExpr=0xa9eec8) at sqlite3.c:84694 > 84694 for(i=0; i<pSrc->nSrc; i++){ > > #0 exprSrcCount (pWalker=<optimized out>, pExpr=0xa9eec8) at > sqlite3.c:84694 > #1 0x00000000004fb86f in sqlite3WalkExpr (pWalker=0x7fffffffc400, > pExpr=0xa9eec8) at sqlite3.c:79072 > #2 0x000000000069193f in sqlite3WalkExprList (p=<optimized out>, > pWalker=0x7fffffffc400) at sqlite3.c:79095 > #3 sqlite3FunctionUsesThisSrc (pExpr=0xa9ed48, pSrcList=0x0) at > sqlite3.c:19186 > #4 resolveExprStep (pWalker=pWalker@entry=0x7fffffffc480, > pExpr=pExpr@entry=0xa9ed48) at sqlite3.c:14402 > #5 0x0000000000692bcb in sqlite3WalkExpr (pExpr=0xa9ed48, > pWalker=0x7fffffffc480) at sqlite3.c:79072 > #6 sqlite3ResolveExprNames (pNC=0x7fffffffc550, pExpr=0xa9ed48) at > sqlite3.c:15026 > #7 0x0000000000694b2b in resolveSelectStep (pWalker=<optimized out>, > p=<optimized out>) at sqlite3.c:80402 > ... > > -- test3.sql -- > select(select strftime()); > -- eof -- > > Faults in: > > sqlite3ValueText (pVal=0x1, enc=1 '\001') at sqlite3.c:62708 > 62708 if( (pVal->flags&(MEM_Str|MEM_Term))==(MEM_Str|MEM_Term) && > pVal->enc==enc ){ > > #0 sqlite3ValueText (pVal=0x1, enc=1 '\001') at sqlite3.c:62708 > #1 0x0000000000598fcd in sqlite3_value_text (pVal=<optimized out>) at > sqlite3.c:67471 > #2 strftimeFunc (context=0x7fffffffca90, argc=0, argv=0xaa02d8) at > sqlite3.c:15657 > #3 0x00000000007883fb in sqlite3VdbeExec (p=0xa8d5a8) at sqlite3.c:70606 > #4 0x00000000007aaf11 in sqlite3Step (p=0xaa0018) at sqlite3.c:67809 > #5 sqlite3_step (pStmt=<optimized out>) at sqlite3.c:2339 > #6 0x0000000000425228 in shell_exec (db=0xa8d5a8, > zSql=zSql@entry=0xa8d510 "select(select strftime());", > pArg=pArg@entry=0x7fffffffcf50, > pzErrMsg=pzErrMsg@entry=0x7fffffffce68, xCallback=0x41dd80 > <shell_callback>) > at shell.c:1365 > #7 0x000000000042a933 in process_input (p=p@entry=0x7fffffffcf50, > in=0x7ffff7565640 <_IO_2_1_stdin_>) at shell.c:3697 > > -- test4.sql -- > select n()AND+#00; > -- eof -- > > This dies for me at: > > #0 sqlite3ExprIsInteger (p=p@entry=0xa9edb8, > pValue=pValue@entry=0x7fffffffc9a4) at sqlite3.c:16463 > #1 0x00000000004f3aed in sqlite3ExprIsInteger (pValue=0x7fffffffc9a4, > p=0xa9edb8) at sqlite3.c:81085 > #2 exprAlwaysFalse (p=0xa9edb8) at sqlite3.c:15665 > #3 sqlite3ExprAnd (db=0xa8d598, pLeft=0xa9eeb8, pRight=0xa9edb8) at > sqlite3.c:15682 > #4 0x0000000000687b86 in sqlite3PExpr (pParse=0xa9f0c8, op=72, > pLeft=0xa9eeb8, pRight=0xa9edb8, pToken=0x0) > at sqlite3.c:81167 > #5 0x0000000000752a7c in spanBinaryExpr (pLeft=<optimized out>, > pLeft=<optimized out>, pRight=<optimized out>, > pRight=<optimized out>, op=<optimized out>, pParse=<optimized > out>, pOut=<optimized out>) at sqlite3.c:120313 > #6 yy_reduce (yyruleno=<optimized out>, yypParser=<optimized out>) at > sqlite3.c:57482 > #7 sqlite3Parser (yyp=0xa9f368, yymajor=-13916, yyminor=..., > pParse=0x3d5, pParse@entry=0xa9f0c8) at sqlite3.c:58144 > > /mz > _______________________________________________ > sqlite-users mailing list > sqlite-users@sqlite.org > http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users > -- D. Richard Hipp d...@sqlite.org _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
