On 07/15/2015 06:59 PM, Richard Hipp wrote: > On 7/15/15, T?r?k Edwin <edwin+sqlite3 at etorok.net> wrote: >>> >>> 1) unknown-crash (might be due to some alignment requirements in asan): >> >> Build with clang 3.4 shows a heap-use-after-free instead of unknown-crash, >> and building a normal (just ./configure) executable with GCC and running >> under valgrind shows an invalid read too, so this >> does seem to be a real bug after all: > > This is not a heap-use-after-free. This is a read-past-end-of-buffer. > (Probably clang is confused because the buffer we are reading off the > end of is immediately followed by another allocation that was > previously freed.) > > The is a *read* off the end of a buffer only - not a write. And it > only comes up on certain types of very obscure database file > corruption. Basically, you have to engineer the database corruption > to make this happen - it will never occur by accident. > > SQLite can be made to detect the database corruption prior to the > buffer over-read by setting: > > PRAGMA cell_size_check=ON;
Thanks, do I still need to turn this on if I run 'PRAGMA integrity_check'? > > See https://www.sqlite.org/draft/pragma.html#pragma_cell_size_check > for additional information on the cell_size_check pragma. Turning > cell_size_check on will always prevent the buffer overread, but it > also involves a noticeable performance hit. So it is off by default, > since the vast majority of the billions of SQLite instances out there > will never encounter a maliciously corrupted database file, and even > if they do the worst that can happen is a buffer over-*read* not an > over-write, and hence is not a security concern. > > That said, applications that open and read SQLite database files > received from untrusted sources, might want to set cell_size_check=ON > out of an abundance of caution. > > Give fuzzcheck the --cell-size-check command-line option to engage the > cell_size_check pragma, in order to prevent problems being reported by > -fsanitize or by valgrind. You will notice that we already do the > same in the "valgrindfuzz" target of the makefile: > https://www.sqlite.org/src/artifact/6e8af213?ln=1050 Indeed fuzzcheck with --cell-size-check finishes successfully now, thanks for the detailed explanation. Could you add a short comment in the Makefile explaining that cell-size-check is needed if you build sanitizers/memory debugging tools? Thanks, --Edwin
