Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

pwnall: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Richard and Dan, can you please take a look?

dbfuzz2 test case attached. Stack trace below.

==2937268==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61800000187c at pc 0x55ff3f7eb369 bp 0x7ffede90ad70 sp 0x7ffede90a520
READ of size 15 at 0x61800000187c thread T0
SCARINESS: 26 (multi-byte-read-heap-buffer-overflow)
    #0 0x55ff3f7eb368 in __asan_memcpy _asan_rtl_:3
    #1 0x55ff3f96f9bb in insertCell third_party/sqlite/amalgamation/sqlite3.c:69676:5
    #2 0x55ff3f9789bd in balance_nonroot third_party/sqlite/amalgamation/sqlite3.c:70888:5
    #3 0x55ff3f970232 in balance third_party/sqlite/amalgamation/sqlite3.c:71192:16
    #4 0x55ff3f95bb1f in sqlite3BtreeInsert third_party/sqlite/amalgamation/sqlite3.c:71567:10
    #5 0x55ff3f94c4a3 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:88392:10
    #6 0x55ff3f8e6957 in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81427:10
    #7 0x55ff3f8de338 in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81490:16
    #8 0x55ff3f8eece5 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118075:12
    #9 0x55ff3f81b9f4 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5
0x61800000187c is located 4 bytes to the left of 776-byte region [0x618000001880,0x618000001b88)
allocated by thread T0 here:
    #0 0x55ff3f7ec2b3 in __interceptor_malloc _asan_rtl_:3
    #1 0x55ff3fa55efd in sqlite3MemMalloc third_party/sqlite/amalgamation/sqlite3.c:22762:7
    #2 0x55ff3f8f979a in mallocWithAlarm third_party/sqlite/amalgamation/sqlite3.c:26604:7
    #3 0x55ff3f8d3fa6 in sqlite3Malloc third_party/sqlite/amalgamation/sqlite3.c:26634:5
    #4 0x55ff3f92067d in pcache1Alloc third_party/sqlite/amalgamation/sqlite3.c:48850:9
    #5 0x55ff3fa5858f in pcache1AllocPage third_party/sqlite/amalgamation/sqlite3.c:48946:11
    #6 0x55ff3fa57e50 in pcache1FetchStage2 third_party/sqlite/amalgamation/sqlite3.c:49411:13
    #7 0x55ff3f915071 in getPageNormal third_party/sqlite/amalgamation/sqlite3.c:55899:11
    #8 0x55ff3f925da0 in btreeGetPage third_party/sqlite/amalgamation/sqlite3.c:65071:8
    #9 0x55ff3f92f7a3 in btreeGetUnusedPage third_party/sqlite/amalgamation/sqlite3.c:65215:12
    #10 0x55ff3f92e10d in allocateBtreePage third_party/sqlite/amalgamation/sqlite3.c:69111:10
    #11 0x55ff3f973c63 in balance_deeper third_party/sqlite/amalgamation/sqlite3.c:71064:10
    #12 0x55ff3f96ff53 in balance third_party/sqlite/amalgamation/sqlite3.c:71128:14
    #13 0x55ff3f95bb1f in sqlite3BtreeInsert third_party/sqlite/amalgamation/sqlite3.c:71567:10
    #14 0x55ff3f94c4a3 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:88392:10
    #15 0x55ff3f8e6957 in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81427:10
    #16 0x55ff3f8de338 in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81490:16
    #17 0x55ff3f8eece5 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118075:12
    #18 0x55ff3f81b9f4 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5

Deleted: clusterfuzz-testcase-minimized-sqlite3_dbfuzz2_fuzzer-5322981800411136 2.4 KB

clusterfuzz-testcase-minimized-sqlite3_dbfuzz2_fuzzer-5322981800411136 2.4 KB View Download

Unable to repro.  Furthermore, the line numbers in the stack trace do not correspond to the source file at https://cs.chromium.org/codesearch/f/chromium/src/third_party/sqlite/amalgamation/sqlite3.c that I downloaded moments ago.  Do you know what version of SQLite is being used for this case?  How can I get the exact version of "sqlite3.c" that generated this error?

Sorry for the confusion here, Richard!

Could you please give me an example of an invalid stack trace line? I just downloaded sqlite3.c from the URL above and checked all the lines in the top trace, as well as the lines up to #7 in the bottom trace (showing the allocation). The line numbers seemed plausible to me -- those lines have calls to the functions named in the next trace line.

I have a second round of backports that I expect to land tomorrow, so there's a small chance that clusterfuzz will just close this bug. I say "small chance" because I just reproduced this with all pending patches applied.

On the other hand, if this crash is difficult to reproduce, I'd be fine with not worrying about it until after we've reduced our divergence from upstream. We're already landing a lot of corruption handling improvements.

The sqlite3.c file I get has a SHA1 hash of 9fefe69a9eb072bdce435e92a6f4cdf161a0182a. Line 69676 is in the middle of a multi-line header comment for the pagerInsertArray() function and is 125 lines after the end of the insertCell() function.

Digging further, this seems to be cockpit error.  The download was not being stored in the directory I thought it was being stored in.  I now have a file with a SHA1 has of 2fb79ca1a4ebe364c79bdcbc251ffe17276ec28e and where the line numbers seem sensible.  I'll use this new file moving forward.

I'm still not able to get the ASAN error on the original. Nevertheless, based on the reproducer testcase data and the (correct) stack trace, I think that check-in https://www.sqlite.org/src/info/cb50509020d952fa will likely clear this problem. 

Thank you very much for the quick fix, Richard! I am backporting this.

The latter sha1 matches what I get when downloading the file. I'm glad you were able to get the correct file eventually.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0abd626ef136c39711131a2ad9947cb61d6b4b7f

commit 0abd626ef136c39711131a2ad9947cb61d6b4b7f
Author: Victor Costan <pwnall@chromium.org>
Date: Mon Jan 14 22:15:54 2019

sqlite: Backport a few more bug fixes.

Bug:  913235 ,  914022 ,  914023 ,  914027 ,  914155 , 914507,  914648 ,  914970 ,  915499 , 921298, 921348, 921355
Change-Id: I8a03ded5cda06ac60adfc63cd71487f5161b21e6
Reviewed-on: https://chromium-review.googlesource.com/c/1408357
Reviewed-by: Chris Mumford <cmumford@google.com>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#622627}
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/amalgamation/sqlite3.c
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0001-Modify-default-VFS-to-support-WebDatabase.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0002-Virtual-table-supporting-recovery-of-corrupted-datab.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0003-Custom-shell.c-helpers-to-load-Chromium-s-ICU-data.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0004-fts3-Disable-fts3_tokenizer-and-fts4.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0005-fuchsia-Use-dot-file-locking-for-sqlite.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0006-Fix-dbfuzz2-for-Clusterfuzz.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0007-Fix-the-Makefile-so-that-it-honors-CFLAGS-when-build.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0008-Adjustments-to-the-page-cache-to-try-to-avoid-harmle.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0009-Remove-an-ALWAYS-from-a-branch-that-is-not-always-ta.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0010-Fix-a-problem-with-nested-CTEs-with-the-same-table.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0011-Fix-detection-of-self-referencing-rows-in-foreign-ke.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0012-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0013-Fix-for-an-assert-that-could-be-false.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0014-Fix-another-problem-found-by-Matthew-Denton-s-new-fu.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0015-Report-a-new-corruption-case.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0016-Avoid-a-buffer-overread-in-ptrmapPutOvflPtr.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0017-Improved-detection-of-cell-corruption-in-sqlite3Vdbe.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0018-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0019-Prevent-integer-overflow-from-leading-to-buffer-over.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0020-Add-extra-tests-for-database-corruption-inside-defra.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0021-Fix-an-off-by-one-error-on-a-Goto-in-the-code-genera.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0022-Fix-overread-on-corrupted-btree-key.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0023-Avoid-buffer-overreads-on-corrupted-database-files.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0024-Fix-integer-overflow-while-running-PRAGMA-integrity_.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0025-Improved-corruption-handling-while-balancing-pages.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0026-Avoid-reading-off-the-front-of-a-page-buffer-when-ba.patch
[add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0027-Fix-MSAN-error-in-sqlite3VdbeRecordUnpack-on-a-corru.patch
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/ext/fts3/fts3.c
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/btree.c
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/insert.c
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/pcache1.c
[modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/vdbeaux.c

ClusterFuzz has detected this issue as fixed in range 622595:622639.

Detailed report: https://clusterfuzz.com/testcase?key=5322981800411136

Fuzzer: afl_sqlite3_dbfuzz2_fuzzer
Fuzz target binary: sqlite3_dbfuzz2_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 15
Crash Address: 0x61800000187c
Crash State:
  insertCell
  balance_nonroot
  balance
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=622595:622639

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5322981800411136

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5322981800411136 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.