Integer-overflow in sqlite3VdbeExec |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4612307046105088 Fuzzer: libfuzzer_sqlite3_ossfuzz_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: sqlite3VdbeExec sqlite3Step sqlite3_step Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=433990:434098 Minimized Testcase (0.04 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97Z11QscON8oshVkjGU6yjbHCZIMBYsyGamgR6QbbGlfoxi1srw5wtZzYsDslu8JMqu189hIfa46gsO8yn-A23R-T0lbDV62yVu4ax0UZQCiOJmy_EDtIhSJKvV6uK0QZdkfD7mnD1-gSP4EwzyyXhBM3biAg?testcase_id=4612307046105088 SELECT?LIMIT (1)-1,~2E51--N� decimal(1,1)�| Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Nov 28 2016
Glad to see new bugs found with another fuzz target. Passing it over to sqlite3 OWNER shess@.
,
Nov 28 2016
Interesting. A cleaner minimization is something like: SELECT 0 LIMIT 0,~1E20 The 1E20 just needs to be a real number greater than 2^63-1, which ~ (bitwise not) will convert to integer, which will convert to 64-bit maxint before flipping the bits, leaving the -9223372036854775808 for the number of rows to return (in the comma syntax, it's LIMIT ofs,limit). As of our release (checking trunk presently), the implementation checks the limit value for 0, but not for negative, so when it attempts to count down, the bad thing happens. Note that -- is a SQL comment initiator. Due to the "-9223372036854775808 - 1" text, I was completely believing it was a post-decrement, which confused me for a bit.
,
Nov 28 2016
This still happens on trunk. Also, it's not strictly degenerate, LIMIT with a negative value works like no limit, intentionally. So: CREATE TABLE t(x); WITH RECURSIVE c(x) AS (VALUES(1) UNION ALL SELECT x+1 FROM c WHERE x<10) INSERT INTO t SELECT x FROM c; SELECT * FROM t LIMIT 0, -9223372036854775798; -- No UB to here. SELECT * FROM t LIMIT 0, -9223372036854775800; -- Sees UB between results 9 and 10. Is there a way to gateway this into the ossfuzz tracker? I saw that drh was responsive in there. Or should I leave it in this tracker and add drh?
,
Nov 29 2016
I have created ubsan build for SQLite in ossfuzz. It should either find it soon or we'll upload this manually. Oliver, can you create the job on CF?
,
Nov 29 2016
Done.
,
Mar 21 2017
ClusterFuzz has detected this issue as fixed in range 458107:458176. Detailed report: https://clusterfuzz.com/testcase?key=4612307046105088 Fuzzer: libfuzzer_sqlite3_ossfuzz_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: sqlite3VdbeExec sqlite3Step sqlite3_step Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=433990:434098 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=458107:458176 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv968FeuMzDFh0czeTE98p-UV-njB75vJ2-0iWsGWntuUj_B9Osn4vmKcNi7s-TZNEieVULSbhnGY_yJlkgwJKNAUqZmm6Nuva6VuQETKqKae_xGxIBeCvaAzeGckJXZYSfPPg_b3PXwpodhqPcNLYbE1uCyJvCbDpGe330qM-3jB1JGhFWA1d27fP7sNLx-YLkYFdr_Kwb_oyz9CRVhehttLJvAE3t9n-G10Gn1C3b4ET0W6d-LAu9kUUPpaaZ-IBy6mdvVkHUu4ebOXoexSdY9N3kkpC_q5MN2WZoGxGkn5eSzGHqynYOoyIUCfZkaJmFB8XKV8B5ZvhPRKuYj1ScOuUOQIW4JFO7Je4fzTmLtrlGgsPdI?testcase_id=4612307046105088 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 21 2017
ClusterFuzz testcase 4612307046105088 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by mummare...@chromium.org
, Nov 24 2016Labels: Test-Predator-Wrong M-57
Owner: mmoroz@chromium.org
Status: Assigned (was: Untriaged)