New issue
Advanced search Search tips

Issue 913235 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 15
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in checkList

Project Member Reported by ClusterFuzz, Dec 9

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5398973764075520

Fuzzer: libFuzzer_sqlite3_dbfuzz2_fuzzer
Fuzz target binary: sqlite3_dbfuzz2_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  checkList
  sqlite3BtreeIntegrityCheck
  sqlite3VdbeExec
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=614851:614852

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5398973764075520

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Dec 9

Components: Internals>Storage
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Dec 9

Cc: pwnall@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.
Project Member

Comment 3 by ClusterFuzz, Dec 9

Labels: Test-Predator-Auto-Owner
Owner: mpdenton@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/e3140a8f27345d395ea75fe619d730951a438e89 (Run SQLite DBFuzz2 on ClusterFuzz to fuzz for data corruption).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Cc: -pwnall@chromium.org mpdenton@chromium.org
Owner: pwnall@chromium.org
I sent this one upstream.
Cc: drhsql...@gmail.com danielk1...@gmail.com
Richard and Dan, could you please let me know the URL of the check-in that fixed this?

dbfuzz2 test case attached. Stack trace below.

../../third_party/sqlite/amalgamation/sqlite3.c:72450:11: runtime error: signed integer overflow: 2097151999 - -513466266 cannot be represented in type 'int'
    #0 0x55d6219a762d in checkList third_party/sqlite/amalgamation/sqlite3.c:72450:11
    #1 0x55d6219895fb in sqlite3BtreeIntegrityCheck third_party/sqlite/amalgamation/sqlite3.c:72860:3
    #2 0x55d62197119f in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:88953:7
    #3 0x55d621935751 in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81427:10
    #4 0x55d62193004a in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81490:16
    #5 0x55d62193a7a2 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118075:12
    #6 0x55d621846d98 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5

clusterfuzz-testcase-minimized-sqlite3_dbfuzz2_fuzzer-5398973764075520
40 bytes View Download
Fixed by SQLite check-in https://sqlite.org/src/info/395599116d801324
Status: Started (was: Assigned)
Thank you very much for the quick response, Richard! I am backporting this.

I just looked this up in N2176 [1] (the last C17 draft), and unsigned->signed conversion is implementation-defined -- S 6.3.1.3. I suspect this means we'll get a UBSan warning for the if on line 9428.
Project Member

Comment 9 by bugdroid1@chromium.org, Jan 14

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0abd626ef136c39711131a2ad9947cb61d6b4b7f

commit 0abd626ef136c39711131a2ad9947cb61d6b4b7f
Author: Victor Costan <pwnall@chromium.org>
Date: Mon Jan 14 22:15:54 2019

sqlite: Backport a few more bug fixes.

Bug:  913235 ,  914022 ,  914023 ,  914027 ,  914155 , 914507,  914648 ,  914970 ,  915499 , 921298, 921348, 921355
Change-Id: I8a03ded5cda06ac60adfc63cd71487f5161b21e6
Reviewed-on: https://chromium-review.googlesource.com/c/1408357
Reviewed-by: Chris Mumford <cmumford@google.com>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#622627}
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/amalgamation/sqlite3.c
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0001-Modify-default-VFS-to-support-WebDatabase.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0002-Virtual-table-supporting-recovery-of-corrupted-datab.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0003-Custom-shell.c-helpers-to-load-Chromium-s-ICU-data.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0004-fts3-Disable-fts3_tokenizer-and-fts4.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0005-fuchsia-Use-dot-file-locking-for-sqlite.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0006-Fix-dbfuzz2-for-Clusterfuzz.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0007-Fix-the-Makefile-so-that-it-honors-CFLAGS-when-build.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0008-Adjustments-to-the-page-cache-to-try-to-avoid-harmle.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0009-Remove-an-ALWAYS-from-a-branch-that-is-not-always-ta.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0010-Fix-a-problem-with-nested-CTEs-with-the-same-table.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0011-Fix-detection-of-self-referencing-rows-in-foreign-ke.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0012-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0013-Fix-for-an-assert-that-could-be-false.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0014-Fix-another-problem-found-by-Matthew-Denton-s-new-fu.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0015-Report-a-new-corruption-case.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0016-Avoid-a-buffer-overread-in-ptrmapPutOvflPtr.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0017-Improved-detection-of-cell-corruption-in-sqlite3Vdbe.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0018-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0019-Prevent-integer-overflow-from-leading-to-buffer-over.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0020-Add-extra-tests-for-database-corruption-inside-defra.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0021-Fix-an-off-by-one-error-on-a-Goto-in-the-code-genera.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0022-Fix-overread-on-corrupted-btree-key.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0023-Avoid-buffer-overreads-on-corrupted-database-files.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0024-Fix-integer-overflow-while-running-PRAGMA-integrity_.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0025-Improved-corruption-handling-while-balancing-pages.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0026-Avoid-reading-off-the-front-of-a-page-buffer-when-ba.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0027-Fix-MSAN-error-in-sqlite3VdbeRecordUnpack-on-a-corru.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/ext/fts3/fts3.c
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/btree.c
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/insert.c
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/pcache1.c
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/vdbeaux.c

Project Member

Comment 10 by ClusterFuzz, Jan 15

ClusterFuzz has detected this issue as fixed in range 622600:622639.

Detailed report: https://clusterfuzz.com/testcase?key=5398973764075520

Fuzzer: libFuzzer_sqlite3_dbfuzz2_fuzzer
Fuzz target binary: sqlite3_dbfuzz2_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  checkList
  sqlite3BtreeIntegrityCheck
  sqlite3VdbeExec
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=614851:614852
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=622600:622639

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5398973764075520

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 11 by ClusterFuzz, Jan 15

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5398973764075520 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment