Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

pwnall: Assigning to you (and ccing cmumford) from the owners' file for further triage.

This might be related to other similar bugs (that I'll also pass to you), feel free to dupe if they have the same root case:
 crbug.com/914023 
 crbug.com/914027 
 crbug.com/914155 
crbug.com/914419
crbug.com/914407

pwnall: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Richard and Dan, can you please take a look?

dbfuzz2 test case attached. Stack trace below.

==2060564==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000004198 at pc 0x55eacbcd3f69 bp 0x7ffde1158210 sp 0x7ffde1157998
READ of size 5 at 0x603000004198 thread T0
SCARINESS: 18 (5-byte-read-heap-buffer-overflow)
    #0 0x55eacbcd3f68 in __interceptor_memcmp third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:837:7
    #1 0x7f9713b57b72 in vdbeRecordCompareString third_party/sqlite/amalgamation/sqlite3.c:80382:11
    #2 0x7f9713b453e1 in sqlite3BtreeMovetoUnpacked third_party/sqlite/amalgamation/sqlite3.c
    #3 0x7f9713b54180 in btreeMoveto third_party/sqlite/amalgamation/sqlite3.c:63826:8
    #4 0x7f9713b53e76 in btreeRestoreCursorPosition third_party/sqlite/amalgamation/sqlite3.c:63850:8
    #5 0x7f9713b598e6 in btreeNext third_party/sqlite/amalgamation/sqlite3.c:68622:10
    #6 0x7f9713b2a37d in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:88315:8
    #7 0x7f9713ac64dc in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81427:10
    #8 0x7f9713abc64a in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81490:16
    #9 0x7f9713acfdc9 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118075:12
    #10 0x55eacbd939bf in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5
0x603000004198 is located 0 bytes to the right of 8-byte region [0x603000004190,0x603000004198)
allocated by thread T0 here:
    #0 0x55eacbd642b3 in __interceptor_malloc third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x7f9713c4da99 in sqlite3MemMalloc third_party/sqlite/amalgamation/sqlite3.c:22762:7
    #2 0x7f9713ae0499 in mallocWithAlarm third_party/sqlite/amalgamation/sqlite3.c:26604:7
    #3 0x7f9713ab0bcf in sqlite3Malloc third_party/sqlite/amalgamation/sqlite3.c:26634:5
    #4 0x7f9713b15e80 in saveCursorKey third_party/sqlite/amalgamation/sqlite3.c:63680:12
    #5 0x7f9713b48c3e in sqlite3BtreeDelete third_party/sqlite/amalgamation/sqlite3.c:71655:12
    #6 0x7f9713b34686 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:87825:8
    #7 0x7f9713ac64dc in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81427:10
    #8 0x7f9713abc64a in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81490:16
    #9 0x7f9713acfdc9 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118075:12
    #10 0x55eacbd939bf in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5

Deleted: clusterfuzz-testcase-minimized-sqlite3_dbfuzz2_fuzzer-4748949824733184 3.4 KB

clusterfuzz-testcase-minimized-sqlite3_dbfuzz2_fuzzer-4748949824733184 3.4 KB View Download

Fixed by SQLite check-in https://sqlite.org/src/info/160b1e31c0f27257

Thank you very much! This is the same fix as for  Issue 914023  and I am backporting it.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0abd626ef136c39711131a2ad9947cb61d6b4b7f

commit 0abd626ef136c39711131a2ad9947cb61d6b4b7f
Author: Victor Costan <pwnall@chromium.org>
Date: Mon Jan 14 22:15:54 2019

sqlite: Backport a few more bug fixes.

Bug:  913235 ,  914022 ,  914023 ,  914027 ,  914155 , 914507,  914648 ,  914970 ,  915499 , 921298, 921348, 921355
Change-Id: I8a03ded5cda06ac60adfc63cd71487f5161b21e6
Reviewed-on: https://chromium-review.googlesource.com/c/1408357
Reviewed-by: Chris Mumford <cmumford@google.com>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#622627}
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/amalgamation/sqlite3.c
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0001-Modify-default-VFS-to-support-WebDatabase.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0002-Virtual-table-supporting-recovery-of-corrupted-datab.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0003-Custom-shell.c-helpers-to-load-Chromium-s-ICU-data.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0004-fts3-Disable-fts3_tokenizer-and-fts4.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0005-fuchsia-Use-dot-file-locking-for-sqlite.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0006-Fix-dbfuzz2-for-Clusterfuzz.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0007-Fix-the-Makefile-so-that-it-honors-CFLAGS-when-build.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0008-Adjustments-to-the-page-cache-to-try-to-avoid-harmle.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0009-Remove-an-ALWAYS-from-a-branch-that-is-not-always-ta.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0010-Fix-a-problem-with-nested-CTEs-with-the-same-table.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0011-Fix-detection-of-self-referencing-rows-in-foreign-ke.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0012-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0013-Fix-for-an-assert-that-could-be-false.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0014-Fix-another-problem-found-by-Matthew-Denton-s-new-fu.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0015-Report-a-new-corruption-case.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0016-Avoid-a-buffer-overread-in-ptrmapPutOvflPtr.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0017-Improved-detection-of-cell-corruption-in-sqlite3Vdbe.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0018-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0019-Prevent-integer-overflow-from-leading-to-buffer-over.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0020-Add-extra-tests-for-database-corruption-inside-defra.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0021-Fix-an-off-by-one-error-on-a-Goto-in-the-code-genera.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0022-Fix-overread-on-corrupted-btree-key.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0023-Avoid-buffer-overreads-on-corrupted-database-files.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0024-Fix-integer-overflow-while-running-PRAGMA-integrity_.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0025-Improved-corruption-handling-while-balancing-pages.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0026-Avoid-reading-off-the-front-of-a-page-buffer-when-ba.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0027-Fix-MSAN-error-in-sqlite3VdbeRecordUnpack-on-a-corru.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/ext/fts3/fts3.c
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/btree.c
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/insert.c
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/pcache1.c
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/vdbeaux.c

ClusterFuzz has detected this issue as fixed in range 622610:622639.

Detailed report: https://clusterfuzz.com/testcase?key=4748949824733184

Fuzzer: libFuzzer_sqlite3_dbfuzz2_fuzzer
Fuzz target binary: sqlite3_dbfuzz2_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 5
Crash Address: 0x603000004198
Crash State:
  vdbeRecordCompareString
  sqlite3BtreeMovetoUnpacked
  btreeMoveto
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=622610:622639

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4748949824733184

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4748949824733184 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.