On 1/27/15, Michal Zalewski <lcam...@coredump.cx> wrote: > One more find. Tested on 64-bit x86 Linux box, version 3.8.8.1. > > printf "create table t0(\211 DEFAULT(0=0)NOT/**/NULL);REPLACE into t0 > select'';" >test.sql > > ./sqlite_asan <test.sql >
Thanks. Fix is here: https://www.sqlite.org/src/info/e098de69100 > This does not crash under normal conditions, but both ASAN and > Valgrind claim an out-of-bound read, so they are probably not wrong. > > ASAN: > > ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x60800000b898 at pc 0x00000090427c bp 0x7fffffff1cf0 sp > 0x7fffffff1ce8 > READ of size 8 at 0x60800000b898 thread T0 > #0 0x90427b in sqlite3ExprCollSeq > (/home/lcamtuf/afl/BIN/sqlite3_asan+0x90427b) > #1 0x98e96a in sqlite3BinaryCompareCollSeq > (/home/lcamtuf/afl/BIN/sqlite3_asan+0x98e96a) > #2 0x96f78b in codeCompare > (/home/lcamtuf/afl/BIN/sqlite3_asan+0x96f78b) > #3 0x97c15c in sqlite3ExprCodeTarget > (/home/lcamtuf/afl/BIN/sqlite3_asan+0x97c15c) > #4 0x977fae in sqlite3ExprCode > (/home/lcamtuf/afl/BIN/sqlite3_asan+0x977fae) > #5 0x9c11b3 in sqlite3GenerateConstraintChecks > (/home/lcamtuf/afl/BIN/sqlite3_asan+0x9c11b3) > #6 0x8a87a2 in sqlite3Insert > (/home/lcamtuf/afl/BIN/sqlite3_asan+0x8a87a2) > #7 0x83f810 in yy_reduce (/home/lcamtuf/afl/BIN/sqlite3_asan+0x83f810) > ... > > 0x60800000b898 is located 32 bytes to the right of 88-byte region > [0x60800000b820,0x60800000b878) > allocated by thread T0 here: > #0 0x49d9cb in __interceptor_malloc > /root/COMP/llvm-3.5.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3 > #1 0x7e5cb1 in sqlite3MemMalloc > (/home/lcamtuf/afl/BIN/sqlite3_asan+0x7e5cb1) > #2 0xc5c7b7 in mallocWithAlarm > (/home/lcamtuf/afl/BIN/sqlite3_asan+0xc5c7b7) > #3 0x4f74bb in sqlite3Malloc > (/home/lcamtuf/afl/BIN/sqlite3_asan+0x4f74bb) > #4 0x557a99 in sqlite3DbMallocRaw > (/home/lcamtuf/afl/BIN/sqlite3_asan+0x557a99) > #5 0x91d2ba in exprDup (/home/lcamtuf/afl/BIN/sqlite3_asan+0x91d2ba) > #6 0x918e69 in sqlite3ExprDup > (/home/lcamtuf/afl/BIN/sqlite3_asan+0x918e69) > #7 0x859923 in sqlite3AddDefaultValue > (/home/lcamtuf/afl/BIN/sqlite3_asan+0x859923) > ... > > Valgrind: > > ==16603== Invalid read of size 8 > ==16603== at 0x5D8670: sqlite3ExprCollSeq (sqlite3.c:81927) > ==16603== by 0x60F29A: codeCompare (sqlite3.c:82059) > ==16603== by 0x6B39F5: sqlite3ExprCodeTarget (sqlite3.c:84448) > ==16603== by 0x6B8A01: sqlite3ExprCode (sqlite3.c:85009) > ==16603== by 0x411402: sqlite3GenerateConstraintChecks (sqlite3.c:99766) > ==16603== by 0x78C1BE: sqlite3Insert (sqlite3.c:99507) > ==16603== by 0x7AD4B5: sqlite3Parser (sqlite3.c:124334) > ==16603== by 0x7BE668: sqlite3RunParser (sqlite3.c:125943) > ==16603== by 0x7C1129: sqlite3Prepare (sqlite3.c:105025) > ==16603== by 0x7C25D0: sqlite3LockAndPrepare.part.504 (sqlite3.c:105120) > ==16603== by 0x7C800D: sqlite3_prepare_v2 (sqlite3.c:105115) > ==16603== by 0x425315: shell_exec.constprop.11 (shell.c:1433) > ==16603== Address 0x5635c68 is 24 bytes before a block of size 16 alloc'd > ==16603== at 0x4C2845D: malloc (in > /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) > ==16603== by 0x56195E: sqlite3MemMalloc (sqlite3.c:16881) > ==16603== by 0x49694F: sqlite3Malloc (sqlite3.c:20509) > ==16603== by 0x497747: sqlite3DbMallocRaw (sqlite3.c:20906) > ==16603== by 0x58AED4: sqlite3AddDefaultValue (sqlite3.c:20991) > ==16603== by 0x7AC913: sqlite3Parser (sqlite3.c:123890) > ==16603== by 0x7BE668: sqlite3RunParser (sqlite3.c:125943) > ==16603== by 0x7C1129: sqlite3Prepare (sqlite3.c:105025) > ==16603== by 0x7C25D0: sqlite3LockAndPrepare.part.504 (sqlite3.c:105120) > ==16603== by 0x7C2C4F: sqlite3LockAndPrepare.constprop.573 > (sqlite3.c:105115) > ==16603== by 0x7C34A4: sqlite3InitCallback (sqlite3.c:105184) > ==16603== by 0x757DD0: sqlite3_exec (sqlite3.c:100669) > > Cheers, > /mz > _______________________________________________ > sqlite-users mailing list > sqlite-users@sqlite.org > http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users > -- D. Richard Hipp d...@sqlite.org _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
