New issue
Advanced search Search tips

Issue 923631 link

Starred by 1 user
Status: Started
Owner:
pwnall@chromium.org
Cc:
mpdenton@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Use-of-uninitialized-value in ptrmapPut

Project Member Reported by ClusterFuzz, Jan 19 (3 days ago) 
Detailed report: https://clusterfuzz.com/testcase?key=5154465313325056

Fuzzer: libFuzzer_sqlite3_dbfuzz2_fuzzer
Fuzz target binary: sqlite3_dbfuzz2_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  ptrmapPut
  ptrmapPutOvflPtr
  setChildPtrmaps
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=614851:614852

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5154465313325056

Issue filed automatically.

See https://www.chromium.org/developers/testing/memorysanitizer#TOC-Reproducing-ClusterFuzz-Bugs for instructions to reproduce this bug locally.
Project Member

Comment 1 by ClusterFuzz, Jan 19 (3 days ago)

Components: Internals>Storage
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jan 19 (3 days ago)

Cc: pwnall@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.
Project Member

Comment 3 by ClusterFuzz, Jan 19 (3 days ago)

Labels: Test-Predator-Auto-Owner
Owner: mpdenton@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/e3140a8f27345d395ea75fe619d730951a438e89 (Run SQLite DBFuzz2 on ClusterFuzz to fuzz for data corruption).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 19 (3 days ago)

Labels: Target-73 M-73
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 19 (3 days ago)

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Jan 19 (3 days ago)

Labels: Pri-1

Comment 7 by pwnall@chromium.org, Jan 19 (3 days ago)

Labels: -Restrict-View-SecurityTeam -Security_Severity-Medium -Security_Impact-Head -ReleaseBlock-Stable -Target-73
Removing security restrictions, because dbfuzz2 detects DB corruption mishandling. An attacker can only take advantage of these issues with local access to the user's disk, which falls outside of Chrome's security model.

Comment 8 by pwnall@chromium.org, Jan 19 (3 days ago)

Labels: -Type-Bug-Security Type-Bug

Comment 9 by pwnall@chromium.org, Jan 19 (3 days ago)

Cc: -pwnall@chromium.org mpdenton@chromium.org
Owner: pwnall@chromium.org
Status: Started (was: Assigned)
This reproduces against master, but does not reproduce with the patches that are currently queued up for backporting. I'm guessing this is fixed by the backport for  Issue 923196  but I don't think it's worth investigating more at this time. I'll come back to this bug if clusterfuzz doesn't mark it as fixed after the next batch of backports lands.

For the record, I've attached the test case and included the stack trace below.

==2288191==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7f9d176af87d in ptrmapPut third_party/sqlite/amalgamation/sqlite3.c:64007:7
    #1 0x7f9d176b16b9 in ptrmapPutOvflPtr third_party/sqlite/amalgamation/sqlite3.c:64397:5
    #2 0x7f9d176aeb6d in setChildPtrmaps third_party/sqlite/amalgamation/sqlite3.c:66513:5
    #3 0x7f9d176ace79 in relocatePage third_party/sqlite/amalgamation/sqlite3.c:66641:10
    #4 0x7f9d176a533e in incrVacuumStep third_party/sqlite/amalgamation/sqlite3.c:66771:12
    #5 0x7f9d176a34c2 in autoVacuumCommit third_party/sqlite/amalgamation/sqlite3.c:66892:12
    #6 0x7f9d17607f0a in sqlite3BtreeCommitPhaseOne third_party/sqlite/amalgamation/sqlite3.c:66948:12
    #7 0x7f9d176b6df0 in vdbeCommit third_party/sqlite/amalgamation/sqlite3.c:78372:14
    #8 0x7f9d176b42f0 in sqlite3VdbeHalt third_party/sqlite/amalgamation/sqlite3.c:78773:16
    #9 0x7f9d176eb035 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:84102:8
    #10 0x7f9d17610ccc in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81445:10
    #11 0x7f9d175fd3ee in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81508:16
    #12 0x7f9d17623021 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118093:12
    #13 0x563312100c69 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5

Uninitialized value was stored to memory at
    #0 0x5633120ab92b in __msan_memcpy third_party/llvm/compiler-rt/lib/msan/msan_interceptors.cc:1548:3
    #1 0x7f9d1773316d in rebuildPage third_party/sqlite/amalgamation/sqlite3.c:69798:5
    #2 0x7f9d177348dd in editPage third_party/sqlite/amalgamation/sqlite3.c:70033:10
    #3 0x7f9d17730cde in balance_nonroot third_party/sqlite/amalgamation/sqlite3.c:70953:12
    #4 0x7f9d17721bbf in balance third_party/sqlite/amalgamation/sqlite3.c:71202:16
    #5 0x7f9d176fedee in sqlite3BtreeDelete third_party/sqlite/amalgamation/sqlite3.c:71753:8
    #6 0x7f9d176dca0e in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:88451:10
    #7 0x7f9d17610ccc in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81445:10
    #8 0x7f9d175fd3ee in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81508:16
    #9 0x7f9d17623021 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118093:12
    #10 0x563312100c69 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5

Uninitialized value was created by a heap allocation
    #0 0x5633120b1bad in __interceptor_malloc third_party/llvm/compiler-rt/lib/msan/msan_interceptors.cc:912:3
    #1 0x7f9d178e4f80 in sqlite3MemMalloc third_party/sqlite/amalgamation/sqlite3.c:22762:7
    #2 0x7f9d17644a2f in mallocWithAlarm third_party/sqlite/amalgamation/sqlite3.c:26604:7
    #3 0x7f9d175e7cb8 in sqlite3Malloc third_party/sqlite/amalgamation/sqlite3.c:26634:5
    #4 0x7f9d176903dd in pcache1Alloc third_party/sqlite/amalgamation/sqlite3.c:48850:9
    #5 0x7f9d1765f2a9 in sqlite3PagerSetPagesize third_party/sqlite/amalgamation/sqlite3.c:54222:22
    #6 0x7f9d17697ac0 in lockBtree third_party/sqlite/amalgamation/sqlite3.c:66143:12
    #7 0x7f9d1760351f in sqlite3BtreeBeginTrans third_party/sqlite/amalgamation/sqlite3.c:66407:47
    #8 0x7f9d176d9d2d in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:86334:10
    #9 0x7f9d17610ccc in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81445:10
    #10 0x7f9d175fd3ee in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81508:16
    #11 0x7f9d17623021 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118093:12
    #12 0x563312100c69 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5
clusterfuzz-testcase-minimized-sqlite3_dbfuzz2_fuzzer-5154465313325056
2.5 KB View Download

Sign in to add a comment