Issue metadata
Sign in to add a comment
|
Heap-use-after-free in insertCell |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4759856483139584 Fuzzer: afl_sqlite3_dbfuzz2_fuzzer Fuzz target binary: sqlite3_dbfuzz2_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-use-after-free WRITE 4 Crash Address: 0x61800000097c Crash State: insertCell sqlite3BtreeInsert sqlite3VdbeExec Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=614849:614856 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4759856483139584 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 13
Automatically adding ccs based on OWNERS file / target commit history. If this is incorrect, please add ClusterFuzz-Wrong label.
,
Dec 13
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/e3140a8f27345d395ea75fe619d730951a438e89 (Run SQLite DBFuzz2 on ClusterFuzz to fuzz for data corruption). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Dec 13
,
Dec 13
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 13
,
Dec 13
This might be tough. Bugs found with dbfuzz2 are not security bugs and it will find a ton of heap buffer overflows. Any we can avoid having these marked as security bugs, metzman@ or mmoroz@?
,
Dec 13
> Bugs found with dbfuzz2 are not security bugs and it will find a ton of heap buffer overflows Why? Why did we enable that fuzz target then?
,
Dec 13
Oh, just because we want to increase stability in SQLite. pwnall@ has a couple of crashes in the wild that are probably to do with SQLite not handling corruption as gracefully as possible, but his team hasn't really been able to do anything about them until now. This will help fix a lot of the crashes that may make Chrome unusable (we hope).
,
Dec 13
Thanks, Matt, that makes sense. I don't think that we have a way to automatically make these bugs to be reported as not security issues. And what if it finds anything valid? IMO let's change the type from Bug-Security to Bug manually case-by-case. There shouldn't be a hundred of them, I hope?
,
Dec 13
I hope. :) Yeah, I think a lot of the OOB stuff will be non-security, but it'd probably be worth checking the integer overflows, and perhaps might be worth checking MSAN stuff and UAFs.
,
Dec 15
,
Jan 11
Richard and Dan, could you please take a look at this bug?
Stack trace:
==400822==ERROR: AddressSanitizer: heap-use-after-free on address 0x61800000097c at pc 0x56418aecf42e bp 0x7ffcfdf52c90 sp 0x7ffcfdf52440
WRITE of size 4 at 0x61800000097c thread T0
SCARINESS: 46 (4-byte-write-heap-use-after-free)
#0 0x56418aecf42d in __asan_memcpy _asan_rtl_:3
#1 0x56418b05557b in insertCell third_party/sqlite/amalgamation/sqlite3.c:69664:5
#2 0x56418b0416d4 in sqlite3BtreeInsert third_party/sqlite/amalgamation/sqlite3.c:71527:3
#3 0x56418b032805 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:87682:8
#4 0x56418afcc5d7 in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81415:10
#5 0x56418afc3fb8 in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81478:16
#6 0x56418afd4945 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118058:12
#7 0x56418aeff7b4 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:97:5
Test case attached.
,
Jan 11
Fixed by SQLite check-in https://sqlite.org/src/info/cc42dd15100db28a
,
Jan 11
,
Jan 12
ClusterFuzz has detected this issue as fixed in range 622199:622235. Detailed report: https://clusterfuzz.com/testcase?key=4759856483139584 Fuzzer: afl_sqlite3_dbfuzz2_fuzzer Fuzz target binary: sqlite3_dbfuzz2_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-use-after-free WRITE 4 Crash Address: 0x61800000097c Crash State: insertCell sqlite3BtreeInsert sqlite3VdbeExec Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=614849:614856 Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=622199:622235 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4759856483139584 See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Dec 13Labels: Test-Predator-Auto-Components