Use-of-uninitialized-value in sqlite3IntFloatCompare |
|||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6142851790143488 Fuzzer: libFuzzer_sqlite3_dbfuzz2_fuzzer Fuzz target binary: sqlite3_dbfuzz2_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: sqlite3IntFloatCompare sqlite3VdbeRecordCompareWithSkip vdbeRecordCompareInt Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=614851:614852 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6142851790143488 Issue filed automatically. See https://www.chromium.org/developers/testing/memorysanitizer#TOC-Reproducing-ClusterFuzz-Bugs for more information.
,
Dec 13
Automatically adding ccs based on OWNERS file / target commit history. If this is incorrect, please add ClusterFuzz-Wrong label.
,
Dec 13
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/e3140a8f27345d395ea75fe619d730951a438e89 (Run SQLite DBFuzz2 on ClusterFuzz to fuzz for data corruption). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Dec 14
,
Dec 14
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 14
,
Dec 14
,
Dec 14
,
Jan 12
Richard and Dan, could you please take a look?
Test case attached. Stack trace below.
==1057613==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x7fb9acfe72d0 in sqlite3IntFloatCompare third_party/sqlite/amalgamation/sqlite3.c:79890:9
#1 0x7fb9acfefdac in sqlite3VdbeRecordCompareWithSkip third_party/sqlite/amalgamation/sqlite3.c:80112:15
#2 0x7fb9acfee728 in vdbeRecordCompareInt third_party/sqlite/amalgamation/sqlite3.c:0:14
#3 0x7fb9acfcfc17 in sqlite3BtreeMovetoUnpacked third_party/sqlite/amalgamation/sqlite3.c:0:15
#4 0x7fb9acfe91b2 in btreeMoveto third_party/sqlite/amalgamation/sqlite3.c:63826:8
#5 0x7fb9acfe8ccf in btreeRestoreCursorPosition third_party/sqlite/amalgamation/sqlite3.c:63850:8
#6 0x7fb9acff1dac in btreeNext third_party/sqlite/amalgamation/sqlite3.c:68622:10
#7 0x7fb9acfd16ad in sqlite3BtreeNext third_party/sqlite/amalgamation/sqlite3.c:0
#8 0x7fb9acfa2b67 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:88315:8
#9 0x7fb9acee7ccc in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81427:10
#10 0x7fb9aced43ee in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81490:16
#11 0x7fb9acefa021 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118075:12
#12 0x557a39cecc69 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5
Uninitialized value was stored to memory at
#0 0x7fb9acfcb51b in sqlite3VdbeSerialGet third_party/sqlite/amalgamation/sqlite3.c:79535:17
#1 0x7fb9acfd238f in sqlite3VdbeRecordUnpack third_party/sqlite/amalgamation/sqlite3.c:79649:10
#2 0x7fb9acfe90bc in btreeMoveto third_party/sqlite/amalgamation/sqlite3.c:63818:5
#3 0x7fb9acfe8ccf in btreeRestoreCursorPosition third_party/sqlite/amalgamation/sqlite3.c:63850:8
#4 0x7fb9acff1dac in btreeNext third_party/sqlite/amalgamation/sqlite3.c:68622:10
#5 0x7fb9acfd16ad in sqlite3BtreeNext third_party/sqlite/amalgamation/sqlite3.c:0
#6 0x7fb9acfa2b67 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:88315:8
#7 0x7fb9acee7ccc in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81427:10
#8 0x7fb9aced43ee in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81490:16
#9 0x7fb9acefa021 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118075:12
#10 0x557a39cecc69 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5
Uninitialized value was created by a heap allocation
#0 0x557a39c9dbad in __interceptor_malloc third_party/llvm/compiler-rt/lib/msan/msan_interceptors.cc:912:3
#1 0x7fb9ad1bb7b0 in sqlite3MemMalloc third_party/sqlite/amalgamation/sqlite3.c:22762:7
#2 0x7fb9acf1ba2f in mallocWithAlarm third_party/sqlite/amalgamation/sqlite3.c:26604:7
#3 0x7fb9acebecb8 in sqlite3Malloc third_party/sqlite/amalgamation/sqlite3.c:26634:5
#4 0x7fb9acf7d148 in saveCursorKey third_party/sqlite/amalgamation/sqlite3.c:63680:12
#5 0x7fb9acfd549a in sqlite3BtreeDelete third_party/sqlite/amalgamation/sqlite3.c:71655:12
#6 0x7fb9acfaf47e in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:87825:8
#7 0x7fb9acee7ccc in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81427:10
#8 0x7fb9aced43ee in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81490:16
#9 0x7fb9acefa021 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118075:12
#10 0x557a39cecc69 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5
,
Jan 14
Richard and Dan, could you please take a look at this bug? The comment above has the dbfuzz2 test case and stack trace. I forgot to add you to the cc when I posted it :(
,
Jan 14
,
Jan 14
Thank you very much for the quick fix, Richard! I am backporting this.
,
Jan 14
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0abd626ef136c39711131a2ad9947cb61d6b4b7f commit 0abd626ef136c39711131a2ad9947cb61d6b4b7f Author: Victor Costan <pwnall@chromium.org> Date: Mon Jan 14 22:15:54 2019 sqlite: Backport a few more bug fixes. Bug: 913235 , 914022 , 914023 , 914027 , 914155 , 914507, 914648 , 914970 , 915499 , 921298, 921348, 921355 Change-Id: I8a03ded5cda06ac60adfc63cd71487f5161b21e6 Reviewed-on: https://chromium-review.googlesource.com/c/1408357 Reviewed-by: Chris Mumford <cmumford@google.com> Commit-Queue: Victor Costan <pwnall@chromium.org> Cr-Commit-Position: refs/heads/master@{#622627} [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/amalgamation/sqlite3.c [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0001-Modify-default-VFS-to-support-WebDatabase.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0002-Virtual-table-supporting-recovery-of-corrupted-datab.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0003-Custom-shell.c-helpers-to-load-Chromium-s-ICU-data.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0004-fts3-Disable-fts3_tokenizer-and-fts4.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0005-fuchsia-Use-dot-file-locking-for-sqlite.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0006-Fix-dbfuzz2-for-Clusterfuzz.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0007-Fix-the-Makefile-so-that-it-honors-CFLAGS-when-build.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0008-Adjustments-to-the-page-cache-to-try-to-avoid-harmle.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0009-Remove-an-ALWAYS-from-a-branch-that-is-not-always-ta.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0010-Fix-a-problem-with-nested-CTEs-with-the-same-table.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0011-Fix-detection-of-self-referencing-rows-in-foreign-ke.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0012-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0013-Fix-for-an-assert-that-could-be-false.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0014-Fix-another-problem-found-by-Matthew-Denton-s-new-fu.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0015-Report-a-new-corruption-case.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0016-Avoid-a-buffer-overread-in-ptrmapPutOvflPtr.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0017-Improved-detection-of-cell-corruption-in-sqlite3Vdbe.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0018-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0019-Prevent-integer-overflow-from-leading-to-buffer-over.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0020-Add-extra-tests-for-database-corruption-inside-defra.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0021-Fix-an-off-by-one-error-on-a-Goto-in-the-code-genera.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0022-Fix-overread-on-corrupted-btree-key.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0023-Avoid-buffer-overreads-on-corrupted-database-files.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0024-Fix-integer-overflow-while-running-PRAGMA-integrity_.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0025-Improved-corruption-handling-while-balancing-pages.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0026-Avoid-reading-off-the-front-of-a-page-buffer-when-ba.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0027-Fix-MSAN-error-in-sqlite3VdbeRecordUnpack-on-a-corru.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/ext/fts3/fts3.c [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/btree.c [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/insert.c [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/pcache1.c [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/vdbeaux.c
,
Jan 15
ClusterFuzz has detected this issue as fixed in range 622610:622627. Detailed report: https://clusterfuzz.com/testcase?key=6142851790143488 Fuzzer: libFuzzer_sqlite3_dbfuzz2_fuzzer Fuzz target binary: sqlite3_dbfuzz2_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: sqlite3IntFloatCompare sqlite3VdbeRecordCompareWithSkip vdbeRecordCompareInt Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=614851:614852 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=622610:622627 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6142851790143488 See https://www.chromium.org/developers/testing/memorysanitizer#TOC-Reproducing-ClusterFuzz-Bugs for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 15
ClusterFuzz testcase 6142851790143488 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by ClusterFuzz
, Dec 13Labels: Test-Predator-Auto-Components