New issue
Advanced search Search tips

Issue 919821 link

Starred by 3 users

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 2
Type: Bug



Sign in to add a comment

Heap-use-after-free in renameTokenCheckAll

Project Member Reported by ClusterFuzz, Jan 8

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6323835380695040

Fuzzer: libFuzzer_sqlite3_lpm_fuzzer
Fuzz target binary: sqlite3_lpm_fuzzer
Job Type: x86_libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0xe5e01220
Crash State:
  renameTokenCheckAll
  sqlite3RenameTokenMap
  sqlite3ExprListSetName
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=x86_libfuzzer_chrome_asan_debug&range=618090:618108

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6323835380695040

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
 
Project Member

Comment 1 by ClusterFuzz, Jan 8

Components: Internals>Storage
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jan 8

Cc: mpdenton@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 8

Labels: Target-73 M-73
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 8

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 8

Labels: Pri-1
Owner: pwnall@chromium.org
Status: Assigned (was: Untriaged)
Cc: drhsql...@gmail.com danielk1...@gmail.com
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Mac OS-Windows
Somewhat minimized testcase:
CREATE TEMP TABLE Table0 (Col0 DEFAULT x'00000000'  , rowid , UNIQUE(Col0  )   , CHECK(1) , CONSTRAINT TableConstraint0 UNIQUE(Col0  )   , CONSTRAINT TableConstraint0 CHECK(1) ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col12 ) WITHOUT ROWID ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col12 ) WITHOUT ROWID ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  DEFAULT ((1, FALSE) )  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TABLE main.Table0 (Col0 BLOB  , PRIMARY KEY(1  , 16  )   ) WITHOUT ROWID ;
CREATE TEMP TABLE Table0 (Col0 , Col0 DEFAULT (1)  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 INTEGER  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 INTEGER(177)  ) ;
CREATE TEMPORARY TABLE IF NOT EXISTS Table0 (Col0 BLOB(0)  DEFAULT 18014398509481984  UNIQUE ON CONFLICT FAIL  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMPORARY TABLE IF NOT EXISTS Table0 (Col0 BLOB(0)  DEFAULT 18014398509481984  UNIQUE ON CONFLICT FAIL  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col12 ) WITHOUT ROWID ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 , Col0 BLOB  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TABLE main.Table0 (Col0 BLOB  , PRIMARY KEY(1  , 16  )   ) WITHOUT ROWID ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 ) WITHOUT ROWID ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TABLE main.Table0 (Col0 , CHECK(1) , PRIMARY KEY(x'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'  )   , PRIMARY KEY(Col3  , Col0  )   , PRIMARY KEY(Col0  )   , PRIMARY KEY(Col0 COLLATE RTRIM  )   , CHECK(1) , CHECK(1) , CHECK(1) , CHECK(1) ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col12 ) WITHOUT ROWID ;
CREATE TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  DEFAULT ((1, FALSE) )  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TABLE main.Table0 (Col0 , CHECK(1) , PRIMARY KEY(x'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'  )   , PRIMARY KEY(Col3  , Col0  )   , PRIMARY KEY(Col0  )   , PRIMARY KEY(Col0 COLLATE RTRIM  )   , CHECK(1) , CHECK(1) , CHECK(1) , CHECK(1) ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TABLE main.Table0 (Col0 BLOB  , PRIMARY KEY(1  , 16  )   ) WITHOUT ROWID ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TABLE main.Table0 (Col0 BLOB  , PRIMARY KEY(1  , 16  )   ) WITHOUT ROWID ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col12 ) WITHOUT ROWID ;
CREATE TEMP TABLE Table0 (Col0 INTEGER(177)  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 , Col0 BLOB(0)  ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 , Col0 BLOB(0)  ) ;
CREATE TABLE main.Table0 (Col0 BLOB  , PRIMARY KEY(1  , 16  )   ) WITHOUT ROWID ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col12 ) WITHOUT ROWID ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TABLE IF NOT EXISTS Table0 (Col0 REFERENCES Table0 ON UPDATE SET NULL   CONSTRAINT ColConstraint8 PRIMARY KEY DESC ON CONFLICT FAIL  REFERENCES Table0 ON DELETE SET NULL  DEFERRABLE INITIALLY IMMEDIATE  ) WITHOUT ROWID ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col12 ) WITHOUT ROWID ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col12 ) WITHOUT ROWID ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TABLE Table0 (Col16 CONSTRAINT ColConstraint0 DEFAULT ('')  ) ;
CREATE TABLE Table0 (Col16 CONSTRAINT ColConstraint0 DEFAULT ('')  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col12 ) WITHOUT ROWID ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 ) ;
CREATE TABLE main.Table0 (Col0 BLOB  , PRIMARY KEY(1  , 16  )   ) WITHOUT ROWID ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col12 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  DEFAULT ((1, FALSE) )  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 , Col0 BLOB  ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  DEFAULT ((1, FALSE) )  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  DEFAULT ((1, FALSE) )  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 , Col0 BLOB  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 , Col0 BLOB(0)  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col12 ) WITHOUT ROWID ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 , Col0 BLOB  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  DEFAULT ((1, FALSE) )  ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) WITHOUT ROWID ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col12 ) WITHOUT ROWID ;
CREATE TEMP TABLE Table0 (Col0 ) ;
ALTER TABLE Table0 RENAME Col0 TO Col0;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 ) WITHOUT ROWID ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMPORARY TABLE IF NOT EXISTS Table0 (Col0 BLOB(0)  DEFAULT 18014398509481984  UNIQUE ON CONFLICT FAIL  ) ;
CREATE TEMP TABLE IF NOT EXISTS Table0 (Col0 , Col0 BLOB(0)  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TABLE Table0 (Col16 CONSTRAINT ColConstraint0 DEFAULT ('')  ) ;
CREATE TEMP TABLE Table0 (Col0 ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TEMP TABLE Table0 (Col0 REFERENCES Table0 DEFERRABLE INITIALLY IMMEDIATE  ) ;
CREATE TEMP TABLE Table0 (Col0 CONSTRAINT ColConstraint1 DEFAULT 1  ) ;
CREATE TABLE IF NOT EXISTS Table0 (Col0 REFERENCES Table0 ON UPDATE SET NULL   CONSTRAINT ColConstraint8 PRIMARY KEY DESC ON CONFLICT FAIL  REFERENCES Table0 ON DELETE SET NULL  DEFERRABLE INITIALLY IMMEDIATE  ) WITHOUT ROWID ;
CREATE TEMP TABLE Table0 (Col0 ) ;







The ALTER TABLE is necessary for the crash. Here's the full stack trace:
==898742==ERROR: AddressSanitizer: heap-use-after-free on address 0xe5e00f20 at pc 0xf7b4129f bp 0xffbfecf8 sp 0xffbfecf0
READ of size 1 at 0xe5e00f20 thread T0
    #0 0xf7b4129e in renameTokenCheckAll third_party/sqlite/amalgamation/sqlite3.c:102207:14
    #1 0xf7aa9608 in sqlite3RenameTokenMap third_party/sqlite/amalgamation/sqlite3.c:102231:3
    #2 0xf7aa6679 in sqlite3ExprListSetName third_party/sqlite/amalgamation/sqlite3.c:97866:7
    #3 0xf7a90ec3 in sqlite3AddCheckConstraint third_party/sqlite/amalgamation/sqlite3.c:107441:7
    #4 0xf7a62419 in yy_reduce third_party/sqlite/amalgamation/sqlite3.c:149644:2
    #5 0xf7a5c507 in sqlite3Parser third_party/sqlite/amalgamation/sqlite3.c:150805:15
    #6 0xf780b393 in sqlite3RunParser third_party/sqlite/amalgamation/sqlite3.c:151965:5
    #7 0xf7c66d2f in renameParseSql third_party/sqlite/amalgamation/sqlite3.c:102484:8
    #8 0xf7c605b5 in renameColumnFunc third_party/sqlite/amalgamation/sqlite3.c:102784:8
    #9 0xf797d9d1 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:90356:3
    #10 0xf77ea46b in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81415:10
    #11 0xf77c7fa4 in chrome_sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81478:16
    #12 0x5687f283 in sql_fuzzer::RunSqlQueriesOnConnection(sqlite3*, std::__Cr::vector<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> >, std::__Cr::allocator<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> > > >) third_party/sqlite/fuzz/sql_run_queries.cc:120:12
    #13 0x568803c3 in sql_fuzzer::RunSqlQueries(std::__Cr::vector<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> >, std::__Cr::allocator<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> > > >) third_party/sqlite/fuzz/sql_run_queries.cc:160:3
    #14 0x56796f2a in TestOneProtoInput(sql_query_grammar::SQLQueries const&) third_party/sqlite/fuzz/sql_fuzzer.cc:49:3
    #15 0x56795ff4 in LLVMFuzzerTestOneInput third_party/sqlite/fuzz/sql_fuzzer.cc:36:1
    #16 0x5692f400 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) third_party/libFuzzer/src/FuzzerLoop.cpp:571:15
    #17 0x568adca9 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) third_party/libFuzzer/src/FuzzerDriver.cpp:280:6
    #18 0x568c5503 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) third_party/libFuzzer/src/FuzzerDriver.cpp:713:9
    #19 0x569906ba in main third_party/libFuzzer/src/FuzzerMain.cpp:20:10
    #20 0xf6eec636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #21 0x566bcae9 in _start (/mnt/scratch0/clusterfuzz/bot/builds/chromium-browser-libfuzzer_linux32-debug-asan_8529da5d5e3be263517971f4e0c347719342a3cd/revisions/libfuzzer-linux32-debug-620707/sqlite3_lpm_fuzzer+0x9bae9)
0xe5e00f20 is located 0 bytes inside of 56-byte region [0xe5e00f20,0xe5e00f58)
freed by thread T0 here:
    #0 0x567611c3 in __interceptor_free third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0xf7c7dfe4 in sqlite3MemFree third_party/sqlite/amalgamation/sqlite3.c:22794:3
    #2 0xf77acc0f in chrome_sqlite3_free third_party/sqlite/amalgamation/sqlite3.c:26715:5
    #3 0xf782bc2c in sqlite3DbFreeNN third_party/sqlite/amalgamation/sqlite3.c:26758:3
    #4 0xf7a30caa in sqlite3ExprDeleteNN third_party/sqlite/amalgamation/sqlite3.c:97276:5
    #5 0xf7a2f8e9 in sqlite3ExprDelete third_party/sqlite/amalgamation/sqlite3.c:97280:11
    #6 0xf7a32144 in exprListDeleteNN third_party/sqlite/amalgamation/sqlite3.c:97920:5
    #7 0xf7a2f9a9 in sqlite3ExprListDelete third_party/sqlite/amalgamation/sqlite3.c:97928:15
    #8 0xf7a2f658 in sqlite3FreeIndex third_party/sqlite/amalgamation/sqlite3.c:106445:3
    #9 0xf7a90873 in sqlite3CreateIndex third_party/sqlite/amalgamation/sqlite3.c:109600:16
    #10 0xf7a62369 in yy_reduce third_party/sqlite/amalgamation/sqlite3.c:149640:2
    #11 0xf7a5c507 in sqlite3Parser third_party/sqlite/amalgamation/sqlite3.c:150805:15
    #12 0xf780b393 in sqlite3RunParser third_party/sqlite/amalgamation/sqlite3.c:151965:5
    #13 0xf7c66d2f in renameParseSql third_party/sqlite/amalgamation/sqlite3.c:102484:8
    #14 0xf7c605b5 in renameColumnFunc third_party/sqlite/amalgamation/sqlite3.c:102784:8
    #15 0xf797d9d1 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:90356:3
    #16 0xf77ea46b in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81415:10
    #17 0xf77c7fa4 in chrome_sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81478:16
    #18 0x5687f283 in sql_fuzzer::RunSqlQueriesOnConnection(sqlite3*, std::__Cr::vector<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> >, std::__Cr::allocator<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> > > >) third_party/sqlite/fuzz/sql_run_queries.cc:120:12
    #19 0x568803c3 in sql_fuzzer::RunSqlQueries(std::__Cr::vector<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> >, std::__Cr::allocator<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> > > >) third_party/sqlite/fuzz/sql_run_queries.cc:160:3
    #20 0x56796f2a in TestOneProtoInput(sql_query_grammar::SQLQueries const&) third_party/sqlite/fuzz/sql_fuzzer.cc:49:3
    #21 0x56795ff4 in LLVMFuzzerTestOneInput third_party/sqlite/fuzz/sql_fuzzer.cc:36:1
    #22 0x5692f400 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) third_party/libFuzzer/src/FuzzerLoop.cpp:571:15
    #23 0x568adca9 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) third_party/libFuzzer/src/FuzzerDriver.cpp:280:6
    #24 0x568c5503 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) third_party/libFuzzer/src/FuzzerDriver.cpp:713:9
    #25 0x569906ba in main third_party/libFuzzer/src/FuzzerMain.cpp:20:10
    #26 0xf6eec636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
previously allocated by thread T0 here:
    #0 0x56761525 in __interceptor_malloc third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0xf7c7df14 in sqlite3MemMalloc third_party/sqlite/amalgamation/sqlite3.c:22762:7
    #2 0xf782ac94 in mallocWithAlarm third_party/sqlite/amalgamation/sqlite3.c:26604:7
    #3 0xf77ac834 in sqlite3Malloc third_party/sqlite/amalgamation/sqlite3.c:26634:5
    #4 0xf782c4e7 in dbMallocRawFinish third_party/sqlite/amalgamation/sqlite3.c:26865:7
    #5 0xf782c202 in sqlite3DbMallocRawNN third_party/sqlite/amalgamation/sqlite3.c:26933:10
    #6 0xf7a84109 in tokenExpr third_party/sqlite/amalgamation/sqlite3.c:147001:15
    #7 0xf7a6b78a in yy_reduce third_party/sqlite/amalgamation/sqlite3.c:150056:23
    #8 0xf7a5c507 in sqlite3Parser third_party/sqlite/amalgamation/sqlite3.c:150805:15
    #9 0xf780b393 in sqlite3RunParser third_party/sqlite/amalgamation/sqlite3.c:151965:5
    #10 0xf7c66d2f in renameParseSql third_party/sqlite/amalgamation/sqlite3.c:102484:8
    #11 0xf7c605b5 in renameColumnFunc third_party/sqlite/amalgamation/sqlite3.c:102784:8
    #12 0xf797d9d1 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:90356:3
    #13 0xf77ea46b in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81415:10
    #14 0xf77c7fa4 in chrome_sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81478:16
    #15 0x5687f283 in sql_fuzzer::RunSqlQueriesOnConnection(sqlite3*, std::__Cr::vector<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> >, std::__Cr::allocator<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> > > >) third_party/sqlite/fuzz/sql_run_queries.cc:120:12
    #16 0x568803c3 in sql_fuzzer::RunSqlQueries(std::__Cr::vector<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> >, std::__Cr::allocator<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> > > >) third_party/sqlite/fuzz/sql_run_queries.cc:160:3
    #17 0x56796f2a in TestOneProtoInput(sql_query_grammar::SQLQueries const&) third_party/sqlite/fuzz/sql_fuzzer.cc:49:3
    #18 0x56795ff4 in LLVMFuzzerTestOneInput third_party/sqlite/fuzz/sql_fuzzer.cc:36:1
    #19 0x5692f400 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) third_party/libFuzzer/src/FuzzerLoop.cpp:571:15
    #20 0x568adca9 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) third_party/libFuzzer/src/FuzzerDriver.cpp:280:6
    #21 0x568c5503 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) third_party/libFuzzer/src/FuzzerDriver.cpp:713:9
    #22 0x569906ba in main third_party/libFuzzer/src/FuzzerMain.cpp:20:10
    #23 0xf6eec636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
SUMMARY: AddressSanitizer: heap-use-after-free third_party/sqlite/amalgamation/sqlite3.c:102207:14 in renameTokenCheckAll
Shadow bytes around the buggy address:
  0x3cbc0190: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x3cbc01a0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x3cbc01b0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x3cbc01c0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x3cbc01d0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 fa
=>0x3cbc01e0: fa fa fa fa[fd]fd fd fd fd fd fd fa fa fa fa fa
  0x3cbc01f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3cbc0200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3cbc0210: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x3cbc0220: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x3cbc0230: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==898742==ABORTING
Can you tell me what version of SQLite this is against?  I am having difficulty reproducing the problem.  Perhaps it is something specific to a particular check-in.
This should be 3.26.
New smaller test case:

CREATE TABLE t1(
  a INT UNIQUE,
  CONSTRAINT c0 UNIQUE(a),
  CONSTRAINT c1 CHECK(a>0)
);
ALTER TABLE t1 RENAME a TO b;
Fixed by SQLite check-in https://www.sqlite.org/src/info/f09aa3248e2b4a32.

Note that this was NOT a security issue.  The use-after-free error occurs inside an assert() statement.  For a release build, the ALTER TABLE RENAME COLUMN would simply fail.  There would be some undefined behavior:  An equality comparison is made against a pointer to freed memory.  However, that pointer is never dereferenced (except by an assert()) and so even though the pointer comparison is technically undefined, that is one of those profoundly silly UBs that actually works sensibly on all modern compilers, and so it was quite harmless.

On the other hand, this was a logic error in the ALTER TABLE RENAME COLUMN command, so I am very glad that you found it.

Labels: -Type-Bug-Security -Pri-1 -Restrict-View-SecurityTeam -Security_Impact-Head -Security_Severity-High -M-73 -Target-73 Pri-2 Type-Bug
Interesting! Thanks for the analysis. I'll unrestrict this. I'm glad that this can find logic bugs before they are found in the wild.
Per the comment above, I won't be backporting this fix. We'll get it in the next SQLite upgrade.
Project Member

Comment 14 by sheriffbot@chromium.org, Jan 11

This issue is marked as a release blocker with no milestone associated. Please add an appropriate milestone.

All release blocking issues should have milestones associated to it, so that the issue can tracked and the fixes can be pushed promptly.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -ReleaseBlock-Stable
Removing RBS. This isn't a critical fix and the patch is non-trivial.

Sign in to add a comment