Null-dereference READ in sqlite3VdbeExec |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6221464541986816 Fuzzer: libFuzzer_sqlite3_lpm_fuzzer Fuzz target binary: sqlite3_lpm_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000030 Crash State: sqlite3VdbeExec sqlite3Step chrome_sqlite3_step Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=618097:618098 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6221464541986816 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
,
Jan 19
(3 days ago)
Automatically adding ccs based on OWNERS file / target commit history. If this is incorrect, please add ClusterFuzz-Wrong label.
,
Jan 19
(3 days ago)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/b880687775ccc1a24323912f75efb50d21d98685 (Add well-formed SQLite LPM fuzzer seed corpus). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Yesterday
(24 hours ago)
,
Today
(23 hours ago)
Richard and Dan, could you please take a look?
This is from Matt's LPM fuzzer, so the test case binary is probably not very useful. I've attached it just in case.
Queries:
CREATE TABLE Table0 (Col0 ) ;
CREATE UNIQUE INDEX Index0 ON Table0(Col0 ) WHERE Col0 = 1 ;
INSERT INTO Table0 DEFAULT VALUES ;
INSERT INTO Table0 DEFAULT VALUES ;
CREATE INDEX Index6 ON Table0(1 );
UPDATE OR REPLACE Table0 SET Col0 = 1 ;
Stack trace:
==3720812==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f081d029a0c bp 0x7ffee8f29970 sp 0x7ffee8f29440 T0)
==3720812==The signal is caused by a READ memory access.
==3720812==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x7f081d029a0b in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:88444:14
#1 0x7f081cfc74dc in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81445:10
#2 0x7f081cfbd64a in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81508:16
#3 0x55a05cd77292 in sql_fuzzer::RunSqlQueriesOnConnection(sqlite3*, std::__Cr::vector<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> >, std::__Cr::allocator<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> > > >) third_party/sqlite/fuzz/sql_run_queries.cc:125:12
#4 0x55a05cd77b0e in sql_fuzzer::RunSqlQueries(std::__Cr::vector<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> >, std::__Cr::allocator<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> > > >, bool) third_party/sqlite/fuzz/sql_run_queries.cc:167:3
#5 0x55a05cd43038 in TestOneProtoInput(sql_query_grammar::SQLQueries const&) third_party/sqlite/fuzz/sql_fuzzer.cc:57:3
#6 0x55a05cd42c03 in LLVMFuzzerTestOneInput third_party/sqlite/fuzz/sql_fuzzer.cc:38:1
,
Today
(22 hours ago)
,
Today
(16 hours ago)
Fixed by check-in https://www.sqlite.org/src/info/e148cdad35520e66 |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Jan 19 (3 days ago)Labels: Test-Predator-Auto-Components