New issue
Advanced search Search tips

Issue 911251 link

Starred by 1 user
Status: Duplicate
Merged: issue 915479
Owner:
pwnall@chromium.org
Closed: Jan 11
Cc:
drhsql...@gmail.com
mpdenton@chromium.org
danielk1...@gmail.com
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

sqlite3ExprCompare Null-ptr dereference

Project Member Reported by mpdenton@chromium.org, Dec 3 
CREATE TABLE Table0 (Col10 , CHECK(RAISE(ROLLBACK , '') )  , CHECK(RAISE(IGNORE) )  , CHECK(1) , CONSTRAINT TableConstraint0 CHECK(RAISE(ROLLBACK , 'DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD') )  , CONSTRAINT TableConstraint4 CHECK(1) , CHECK(RAISE(ROLLBACK , '') )  ) ;
INSERT OR REPLACE INTO Table0 DEFAULT VALUES ;
------------------------
AddressSanitizer:DEADLYSIGNAL
=================================================================
==114560==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5560c7f6c435 bp 0x7fff430564f0 sp 0x7fff43055c70 T0)
==114560==The signal is caused by a READ memory access.
==114560==Hint: address points to the zero page.
    #0 0x5560c7f6c434 in __interceptor_strcmp /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:428:25
    #1 0x7f23c7d00a27 in sqlite3ExprCompare /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/sqlite/amalgamation/sqlite3.c:100658:15
    #2 0x7f23c7ceeaea in sqlite3ExprCodeAtInit /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/sqlite/amalgamation/sqlite3.c:99968:30
    #3 0x7f23c7cee432 in sqlite3ExprCodeTemp /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/sqlite/amalgamation/sqlite3.c:100006:10
    #4 0x7f23c7d0f104 in sqlite3ExprIfTrue /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/sqlite/amalgamation/sqlite3.c:100367:14
    #5 0x7f23c7de263b in sqlite3GenerateConstraintChecks /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/sqlite/amalgamation/sqlite3.c:116585:7
    #6 0x7f23c7cbdb0a in sqlite3Insert /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/sqlite/amalgamation/sqlite3.c:116237:7
    #7 0x7f23c7c7c51a in yy_reduce /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/sqlite/amalgamation/sqlite3.c:149276:3
    #8 0x7f23c7c716ee in sqlite3Parser /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/sqlite/amalgamation/sqlite3.c:150067:15
    #9 0x7f23c7a9df38 in sqlite3RunParser /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/sqlite/amalgamation/sqlite3.c:151168:5
    #10 0x7f23c7c6799b in sqlite3Prepare /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/sqlite/amalgamation/sqlite3.c:122980:5
    #11 0x7f23c7a9a5de in sqlite3LockAndPrepare /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/sqlite/amalgamation/sqlite3.c:123073:10
    #12 0x7f23c7a998bc in chrome_sqlite3_prepare_v2 /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/sqlite/amalgamation/sqlite3.c:123156:8
    #13 0x5560c80a7388 in RunSqlQueries(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >) /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/sqlite/fuzz/sql_run_queries.cc:93:10
    #14 0x5560c8033bb3 in TestOneProtoInput(sql_query_grammar::SQLQueries const&) /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/sqlite/fuzz/sql_fuzzer.cc:30:3
    #15 0x5560c8032d86 in LLVMFuzzerTestOneInput /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/sqlite/fuzz/sql_fuzzer.cc:18:1
    #16 0x5560c80e7cd1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/libFuzzer/src/FuzzerLoop.cpp:571:15
    #17 0x5560c80bd91d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/libFuzzer/src/FuzzerDriver.cpp:280:6
    #18 0x5560c80c6474 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/libFuzzer/src/FuzzerDriver.cpp:713:9
    #19 0x5560c8108559 in main /usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/../../third_party/libFuzzer/src/FuzzerMain.cpp:20:10
    #20 0x7f23c638a2b0 in __libc_start_main ??:0:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/local/google/home/mpdenton/chromium/src/out/libfuzzer/sqlite3_lpm_fuzzer+0x286434)
==114560==ABORTING

Comment 1 by mpdenton@chromium.org, Dec 3

Cc: mpdenton@chromium.org

Comment 2 by mpdenton@chromium.org, Dec 12 

Still reproduces on sqlite 3.26.

Comment 3 by pwnall@chromium.org, Jan 11

Cc: drhsql...@gmail.com danielk1...@gmail.com
Richard and Dan, was this bug also fixed by https://sqlite.org/src/info/ddf06db702761d66 ?

Thank you very much!

Comment 4 by drhsql...@gmail.com, Jan 11 

Confirmed.  Fixed by check-in https://sqlite.org/src/info/ddf06db702

Comment 5 by pwnall@chromium.org, Jan 11

Mergedinto: 915479
Status: Duplicate (was: Assigned)
Thank you very much for the quick response!

Sign in to add a comment