New issue
Advanced search Search tips

Issue 913820 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 915479
Owner:
Closed: Dec 20
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in sqlite3ExprCompare

Project Member Reported by ClusterFuzz, Dec 11

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4899767668441088

Fuzzer: libFuzzer_sqlite3_select_expr_lpm_fuzzer
Fuzz target binary: sqlite3_select_expr_lpm_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  sqlite3ExprCompare
  sqlite3ExprCodeAtInit
  sqlite3ExprCodeTemp
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=615326:615355

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4899767668441088

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing_on_windows.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Dec 11

Components: Internals>Storage
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Dec 11

Cc: mpdenton@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.
Project Member

Comment 3 by ClusterFuzz, Dec 11

Labels: Test-Predator-Auto-Owner
Owner: mpdenton@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/7d3def8575ecd2e5e2e7ab7f585961206007bd25 (Adds LPM-based SQLite fuzzer).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Owner: pwnall@chromium.org
metzman@ any way to get these automatically assigned to pwnall@ and just have me CC'd?
Cc: mbarbe...@chromium.org
Matthew: Unfortunately I don't think there is. 
This is something that happens with many new fuzzers (since the commit that "introduced" the bug is the one that creates the fuzzer).
+mbarbella who may know more about this.
I can't think of any quick fix that would help here. I've thought of trying to blacklist fuzzer commits in the past but even those tend to be helpful most of the time since the author has a fair amount of context on the fuzzer (though they didn't usually introduce the bug). Luckily, once the initial batch of bugs is dealt with it shouldn't continue to assign them to you since the regression ranges should point to different commits.
Project Member

Comment 7 by ClusterFuzz, Dec 11

Labels: OS-Linux
The documentation for reproducing on Windows has been moved to https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md
Project Member

Comment 9 by ClusterFuzz, Dec 20

Labels: M-73 Fuzz-Blocker ReleaseBlock-Beta
This crash occurs very frequently on windows platform and is likely preventing the fuzzer sqlite3_select_expr_lpm_fuzzer from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.
Cc: danielk1...@gmail.com drhsql...@gmail.com
This may be the same as the null-dereference that was just fixed, can you verify?
SELECT RAISE(ROLLBACK , '')  BETWEEN RAISE(IGNORE)  AND 1;
Yes, same thing I think. 

The SQL above returns a "RAISE() may only be used within a trigger-program" on the development trunk but causes a segfault with 3.26.0.

  
Mergedinto: 915479
Status: Duplicate (was: Assigned)
Thanks!
Project Member

Comment 13 by ClusterFuzz, Jan 12

ClusterFuzz has detected this issue as fixed in range 622191:622221.

Detailed report: https://clusterfuzz.com/testcase?key=4899767668441088

Fuzzer: libFuzzer_sqlite3_select_expr_lpm_fuzzer
Fuzz target binary: sqlite3_select_expr_lpm_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  sqlite3ExprCompare
  sqlite3ExprCodeAtInit
  sqlite3ExprCodeTemp
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=615326:615355
Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=622191:622221

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4899767668441088

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment