New issue
Advanced search Search tips

Issue 915348 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 12
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Use-of-uninitialized-value in sqlite3VdbeRecordCompareWithSkip

Project Member Reported by ClusterFuzz, Dec 14

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6037613934542848

Fuzzer: libFuzzer_sqlite3_dbfuzz2_fuzzer
Fuzz target binary: sqlite3_dbfuzz2_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  sqlite3VdbeRecordCompareWithSkip
  sqlite3BtreeMovetoUnpacked
  sqlite3BtreeInsert
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=614851:614852

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6037613934542848

Issue filed automatically.

See https://www.chromium.org/developers/testing/memorysanitizer#TOC-Reproducing-ClusterFuzz-Bugs for instructions to reproduce this bug locally.
 
Project Member

Comment 1 by ClusterFuzz, Dec 14

Components: Internals>Storage
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Dec 14

Cc: pwnall@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.
Project Member

Comment 3 by ClusterFuzz, Dec 14

Labels: Test-Predator-Auto-Owner
Owner: mpdenton@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/e3140a8f27345d395ea75fe619d730951a438e89 (Run SQLite DBFuzz2 on ClusterFuzz to fuzz for data corruption).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Cc: -pwnall@chromium.org mpdenton@chromium.org
Owner: pwnall@chromium.org
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Severity-Medium -Security_Impact-Head Pri-2 Type-Bug
Cc: drhsql...@gmail.com danielk1...@gmail.com
Richard and Dan, could you please look into this bug? Thank you very much!

Stack trace:

==2006964==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7fa341743380 in sqlite3VdbeRecordCompareWithSkip third_party/sqlite/amalgamation/sqlite3.c:80072:12
    #1 0x7fa3417218b7 in sqlite3BtreeMovetoUnpacked third_party/sqlite/amalgamation/sqlite3.c:0:15
    #2 0x7fa341724e89 in sqlite3BtreeInsert third_party/sqlite/amalgamation/sqlite3.c:71449:14
    #3 0x7fa341701c33 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:88380:10
    #4 0x7fa341639ccc in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81415:10
    #5 0x7fa3416263ee in chrome_sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81478:16
    #6 0x7fa34164c021 in chrome_sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118058:12
    #7 0x55e6416d9c89 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:97:5

The test case is attached.
clusterfuzz-testcase-minimized-sqlite3_dbfuzz2_fuzzer-6037613934542848
2.2 KB View Download
Thanks Victor. Richard and Dan, since this a dbfuzz2 bug it should be able to reproduce with your normal dbfuzz2 fuzzer (this isn't an LPM fuzzer test case).
I thought I had responded to this already, but apparently I failed to press "Save changes" or something...

Despite much effort, we have been unable to reproduce this problem in any version of SQLite.  However, another use-of-uninitialized-value problem with a similar stack trace was fixed by https://www.sqlite.org/src/info/fa47f4c6589c431c, so perhaps that same check-in will fix this one too.
Status: Started (was: Assigned)
Thank you very much for looking into this so quickly! I am backporting the check-in above. We'll see if clusterfuzz marks this fixed after the change lands.
Issue 914419 has been merged into this issue.
Project Member

Comment 11 by bugdroid1@chromium.org, Jan 11

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643

commit c61e3e2f00de49b85c2bd76c252d2a9fd13ed643
Author: Victor Costan <pwnall@chromium.org>
Date: Fri Jan 11 23:20:45 2019

sqlite: Backport a few bug fixes.

This CL removes an unnecessary change in
0006-Fix-dbfuzz2-for-Clusterfuzz.patch and backports fixes for a few
recently discovered issues. The added patches will go away in the
next SQLite upgrade.

Bug: 911253, 911255, 914407,  915348 ,  915479 ,  916478 ,  917285 ,  917380 ,  917834 ,  918035 
Change-Id: I595de36637cdb256153d92f21958b05e2ea6ac92
Reviewed-on: https://chromium-review.googlesource.com/c/1406928
Reviewed-by: Chris Mumford <cmumford@google.com>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#622207}
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/amalgamation/sqlite3.c
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0001-Modify-default-VFS-to-support-WebDatabase.patch
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0002-Virtual-table-supporting-recovery-of-corrupted-datab.patch
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0003-Custom-shell.c-helpers-to-load-Chromium-s-ICU-data.patch
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0004-fts3-Disable-fts3_tokenizer-and-fts4.patch
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0005-fuchsia-Use-dot-file-locking-for-sqlite.patch
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0006-Fix-dbfuzz2-for-Clusterfuzz.patch
[add] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0007-Fix-the-Makefile-so-that-it-honors-CFLAGS-when-build.patch
[add] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0008-Adjustments-to-the-page-cache-to-try-to-avoid-harmle.patch
[add] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0009-Remove-an-ALWAYS-from-a-branch-that-is-not-always-ta.patch
[add] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0010-Fix-a-problem-with-nested-CTEs-with-the-same-table.patch
[add] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0011-Fix-detection-of-self-referencing-rows-in-foreign-ke.patch
[add] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0012-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch
[add] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0013-Fix-for-an-assert-that-could-be-false.patch
[add] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0014-Fix-another-problem-found-by-Matthew-Denton-s-new-fu.patch
[add] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0015-Report-a-new-corruption-case.patch
[add] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0016-Avoid-a-buffer-overread-in-ptrmapPutOvflPtr.patch
[add] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/patches/0017-Improved-detection-of-cell-corruption-in-sqlite3Vdbe.patch
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/src/Makefile.in
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/src/src/btree.c
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/src/src/expr.c
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/src/src/fkey.c
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/src/src/pcache1.c
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/src/src/select.c
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/src/src/vdbeaux.c
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/src/test/dbfuzz2.c
[modify] https://crrev.com/c61e3e2f00de49b85c2bd76c252d2a9fd13ed643/third_party/sqlite/src/test/fuzzcheck.c

Project Member

Comment 12 by ClusterFuzz, Jan 12

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5810796468371456 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Labels: Merge-Merged-72-3626
The following revision refers to this bug: 
https://chromium.googlesource.com/chromium/src.git/+/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8

Commit: e6d709904788b93ca8f88bbf67ad0a7af26e5bb8
Author: staphany@chromium.org
Commiter: pwnall@chromium.org
Date: 2019-01-15 22:21:13 +0000 UTC

sqlite: Backport a few bug fixes.

This CL removes an unnecessary change in
0006-Fix-dbfuzz2-for-Clusterfuzz.patch and backports fixes for a few
recently discovered issues. The added patches will go away in the
next SQLite upgrade.

(cherry picked from commit c61e3e2f00de49b85c2bd76c252d2a9fd13ed643)

Bug: 911253, 911255, 914407,  915348 ,  915479 ,  916478 ,  917285 ,  917380 ,  917834 ,  918035 
Change-Id: I595de36637cdb256153d92f21958b05e2ea6ac92
Reviewed-on: https://chromium-review.googlesource.com/c/1406928
Reviewed-by: Chris Mumford <cmumford@google.com>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#622207}
Reviewed-on: https://chromium-review.googlesource.com/c/1413452
Reviewed-by: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#703}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Project Member

Comment 14 by bugdroid1@chromium.org, Jan 15

Labels: merge-merged-3626
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8

commit e6d709904788b93ca8f88bbf67ad0a7af26e5bb8
Author: Staphany Park <staphany@chromium.org>
Date: Tue Jan 15 22:21:13 2019

sqlite: Backport a few bug fixes.

This CL removes an unnecessary change in
0006-Fix-dbfuzz2-for-Clusterfuzz.patch and backports fixes for a few
recently discovered issues. The added patches will go away in the
next SQLite upgrade.

(cherry picked from commit c61e3e2f00de49b85c2bd76c252d2a9fd13ed643)

Bug: 911253, 911255, 914407,  915348 ,  915479 ,  916478 ,  917285 ,  917380 ,  917834 ,  918035 
Change-Id: I595de36637cdb256153d92f21958b05e2ea6ac92
Reviewed-on: https://chromium-review.googlesource.com/c/1406928
Reviewed-by: Chris Mumford <cmumford@google.com>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#622207}
Reviewed-on: https://chromium-review.googlesource.com/c/1413452
Reviewed-by: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#703}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
[modify] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/amalgamation/sqlite3.c
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0001-Modify-default-VFS-to-support-WebDatabase.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0002-Virtual-table-supporting-recovery-of-corrupted-datab.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0003-Custom-shell.c-helpers-to-load-Chromium-s-ICU-data.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0004-fts3-Disable-fts3_tokenizer-and-fts4.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0005-fuchsia-Use-dot-file-locking-for-sqlite.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0006-Fix-dbfuzz2-for-Clusterfuzz.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0007-Fix-the-Makefile-so-that-it-honors-CFLAGS-when-build.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0008-Adjustments-to-the-page-cache-to-try-to-avoid-harmle.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0009-Remove-an-ALWAYS-from-a-branch-that-is-not-always-ta.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0010-Fix-a-problem-with-nested-CTEs-with-the-same-table.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0011-Fix-detection-of-self-referencing-rows-in-foreign-ke.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0012-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0013-Fix-for-an-assert-that-could-be-false.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0014-Fix-another-problem-found-by-Matthew-Denton-s-new-fu.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0015-Report-a-new-corruption-case.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0016-Avoid-a-buffer-overread-in-ptrmapPutOvflPtr.patch
[add] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/patches/0017-Improved-detection-of-cell-corruption-in-sqlite3Vdbe.patch
[modify] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/src/Makefile.in
[modify] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/src/src/btree.c
[modify] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/src/src/expr.c
[modify] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/src/src/fkey.c
[modify] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/src/src/pcache1.c
[modify] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/src/src/select.c
[modify] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/src/src/vdbeaux.c
[modify] https://crrev.com/e6d709904788b93ca8f88bbf67ad0a7af26e5bb8/third_party/sqlite/src/test/fuzzcheck.c

Project Member

Comment 15 by ClusterFuzz, Jan 19 (3 days ago)

Labels: Needs-Feedback
ClusterFuzz testcase 6037613934542848 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

Sign in to add a comment