Use-of-uninitialized-value in sqlite3GetVarint32 |
|||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5646881099218944 Fuzzer: libFuzzer_sqlite3_dbfuzz2_fuzzer Fuzz target binary: sqlite3_dbfuzz2_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: sqlite3GetVarint32 sqlite3VdbeRecordUnpack btreeMoveto Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=614851:614852 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5646881099218944 Issue filed automatically. See https://www.chromium.org/developers/testing/memorysanitizer#TOC-Reproducing-ClusterFuzz-Bugs for instructions to reproduce this bug locally.
,
Jan 20
(3 days ago)
Automatically adding ccs based on OWNERS file / target commit history. If this is incorrect, please add ClusterFuzz-Wrong label.
,
Jan 20
(3 days ago)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/e3140a8f27345d395ea75fe619d730951a438e89 (Run SQLite DBFuzz2 on ClusterFuzz to fuzz for data corruption). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jan 20
(2 days ago)
Richard and Dan, could you look into this please?
dbfuzz2 test case attached. Stack trace below.
==2792855==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x7fe0ce16d8cb in sqlite3GetVarint32 third_party/sqlite/amalgamation/sqlite3.c:31093:7
#1 0x7fe0ce1752cd in sqlite3VdbeRecordUnpack third_party/sqlite/amalgamation/sqlite3.c:79654:12
#2 0x7fe0ce18c3fc in btreeMoveto third_party/sqlite/amalgamation/sqlite3.c:63826:5
#3 0x7fe0ce18c00f in btreeRestoreCursorPosition third_party/sqlite/amalgamation/sqlite3.c:63858:8
#4 0x7fe0ce1950ec in btreeNext third_party/sqlite/amalgamation/sqlite3.c:68628:10
#5 0x7fe0ce17470d in sqlite3BtreeNext third_party/sqlite/amalgamation/sqlite3.c:0
#6 0x7fe0ce145bc7 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:88333:8
#7 0x7fe0ce08accc in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81445:10
#8 0x7fe0ce0773ee in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81508:16
#9 0x7fe0ce09d021 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118093:12
#10 0x5570178bdc69 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5
Uninitialized value was created by a heap allocation
#0 0x55701786ebad in __interceptor_malloc third_party/llvm/compiler-rt/lib/msan/msan_interceptors.cc:912:3
#1 0x7fe0ce35ef80 in sqlite3MemMalloc third_party/sqlite/amalgamation/sqlite3.c:22762:7
#2 0x7fe0ce0bea2f in mallocWithAlarm third_party/sqlite/amalgamation/sqlite3.c:26604:7
#3 0x7fe0ce061cb8 in sqlite3Malloc third_party/sqlite/amalgamation/sqlite3.c:26634:5
#4 0x7fe0ce12014c in saveCursorKey third_party/sqlite/amalgamation/sqlite3.c:63688:12
#5 0x7fe0ce11fbbd in saveCursorPosition third_party/sqlite/amalgamation/sqlite3.c:63724:8
#6 0x7fe0ce11f87a in saveCursorsOnList third_party/sqlite/amalgamation/sqlite3.c:63783:18
#7 0x7fe0ce11e526 in saveAllCursors third_party/sqlite/amalgamation/sqlite3.c:63765:18
#8 0x7fe0ce175f67 in sqlite3BtreeInsert third_party/sqlite/amalgamation/sqlite3.c:71402:10
#9 0x7fe0ce152ff3 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:88410:10
#10 0x7fe0ce08accc in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81445:10
#11 0x7fe0ce0773ee in chrome_sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81508:16
#12 0x7fe0ce09d021 in chrome_sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118093:12
#13 0x5570178bdc69 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5
,
Jan 20
(2 days ago)
Richard and Dan, could you look into this bug, please? Test case and stack trace in the comment above.
,
Jan 20
(2 days ago)
,
Jan 20
(2 days ago)
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 20
(2 days ago)
Removing security flags, because this is a dbfuzz2 test case. dbfuzz2 covers database corruption handling, and taking advantage of the vulnerabilities it finds would require local disk access, which is outside of Chrome's threat model.
,
Yesterday
(38 hours ago)
This seems to be fixed by check-in https://sqlite.org/src/info/160b1e31c0f27257
,
Yesterday
(32 hours ago)
We've landed a backport for the patch above [1], and this crash is still showing up for us. If the problem is fixed on sqlite trunk, we can wait and see if upgrading to SQLite 3.27 makes it go away. [1] https://cs.chromium.org/chromium/src/third_party/sqlite/patches/0022-Fix-overread-on-corrupted-btree-key.patch?q=160b1e31c0f27257 |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ClusterFuzz
, Jan 20 (3 days ago)Labels: Test-Predator-Auto-Components