New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 657486 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Out-of-memory in sqlite3_prepare_v2_fuzzer

Project Member Reported by ClusterFuzz, Oct 19 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6567498143236096

Fuzzer: libfuzzer_sqlite3_prepare_v2_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory
Crash Address: 
Crash State:
  sqlite3_prepare_v2_fuzzer
  

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96EO5O8RLNaBiGvnwfmxLPoYf8R9gtHLIrAmxW-ZIrAFj8w3uggnKA6QQ1Fsc2BkFV1p5W_nmpGa0qnQAoggk7UhpXfsI2If1kz42fnJ2Kn2vPn7Se7pY6btswdfUjoGyJg90bflzDd0wJC8AvlIN4FfGGi5Q?testcase_id=6567498143236096
 DETACH randomblob(6e8)


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 

Comment 1 by mmoroz@google.com, Nov 11 2016

Cc: mmoroz@chromium.org infe...@chromium.org kcc@chromium.org js...@chromium.org aizatsky@chromium.org
Strange that the bug is untriaged for 2+ weeks.

The testcase:
 DETACH randomblob(6e8)


wants to generate 600 MB of random data, so ASan build uses 1,200+ MB, while MSan exceeds OOM limit.



another case I hit locally pretty quickly:

$ cat oom-aacb833e0f5761d24d85430592fcbfa31e7bc72d | xxd
00000000: bc53 454c 4543 5420 7072 696e 7466 2827  .SELECT printf('
00000010: 0a25 2a65 202d 2022 6122 2c62 2220 272c  .%*e - "a",b" ',
00000020: 3545 3929                                5E9)

no idea what does the query mean, but 5e9 is 5 billion and this number leads to a huge memory consumption.

I think we can try to find for patterns like:
\d+[eE]\d+

and replace the trailing number with "<zero_padding>1".

Comment 2 by mmoroz@google.com, Nov 11 2016

Hm, to keep things simpler, it would be better return 0 for inputs with these large numbers, like we do for inputs with REGEXP keyword: https://cs.chromium.org/chromium/src/testing/libfuzzer/fuzzers/sqlite3_prepare_v2_fuzzer.cc?l=41


Comment 3 by mmoroz@google.com, Nov 11 2016

No, it seems to be hard and stupid solution.

I hope there are ways to restrict memory usage of sqlite3 (https://www.sqlite.org/c3ref/soft_heap_limit64.html) that could help to avoid large allocations.

Comment 4 by mmoroz@google.com, Nov 11 2016

Hm, that's a soft limit which doesn't lead to SQLITE_NOMEM error :/

Comment 5 by mmoroz@google.com, Nov 11 2016

sqlite3_limit(db,SQLITE_LIMIT_LENGTH,size) from https://www.sqlite.org/limits.html

seems to be working for me

Comment 6 by mmoroz@google.com, Nov 11 2016

Owner: mmoroz@chromium.org
Status: Started (was: Untriaged)
Will upload a CL soon (+ will move the fuzzer to third_party/sqlite)

Comment 7 by mmoroz@google.com, Nov 11 2016

https://codereview.chromium.org/2497603002/

Also did the same change on oss-fuzz.
Project Member

Comment 9 by ClusterFuzz, Nov 12 2016

ClusterFuzz has detected this issue as fixed in range 431586:431621.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6567498143236096

Fuzzer: libfuzzer_sqlite3_prepare_v2_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory
Crash Address: 
Crash State:
  sqlite3_prepare_v2_fuzzer
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=431586:431621

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96EO5O8RLNaBiGvnwfmxLPoYf8R9gtHLIrAmxW-ZIrAFj8w3uggnKA6QQ1Fsc2BkFV1p5W_nmpGa0qnQAoggk7UhpXfsI2If1kz42fnJ2Kn2vPn7Se7pY6btswdfUjoGyJg90bflzDd0wJC8AvlIN4FfGGi5Q?testcase_id=6567498143236096
 DETACH randomblob(6e8)


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 10 by mmoroz@google.com, Nov 14 2016

Status: Fixed (was: Started)
Project Member

Comment 11 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment