Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/0abd626ef136c39711131a2ad9947cb61d6b4b7f (sqlite: Backport a few more bug fixes.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Removing security restrictions, because dbfuzz2 detects database corruption handling bugs, which can only be exploited by an attacker with local disk access.

This problem exists on master, but goes away with the pending backports. I expect that clusterfuzz will mark this as fixed once we land the backports.

Attached the test case and stack trace for completeness.

==1793336==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7f7a980ff72b in sqlite3VdbeRecordUnpack third_party/sqlite/amalgamation/sqlite3.c:79648:9
    #1 0x7f7a981163fc in btreeMoveto third_party/sqlite/amalgamation/sqlite3.c:63826:5
    #2 0x7f7a9811600f in btreeRestoreCursorPosition third_party/sqlite/amalgamation/sqlite3.c:63858:8
    #3 0x7f7a9811f0ec in btreeNext third_party/sqlite/amalgamation/sqlite3.c:68628:10
    #4 0x7f7a980fe70d in sqlite3BtreeNext third_party/sqlite/amalgamation/sqlite3.c:0
    #5 0x7f7a980cfbc7 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:88333:8
    #6 0x7f7a98014ccc in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81445:10
    #7 0x7f7a980013ee in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81508:16
    #8 0x7f7a98027021 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118093:12
    #9 0x55ab529dfc69 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5

  Uninitialized value was created by a heap allocation
    #0 0x55ab52990bad in __interceptor_malloc third_party/llvm/compiler-rt/lib/msan/msan_interceptors.cc:912:3
    #1 0x7f7a982e8f80 in sqlite3MemMalloc third_party/sqlite/amalgamation/sqlite3.c:22762:7
    #2 0x7f7a98048a2f in mallocWithAlarm third_party/sqlite/amalgamation/sqlite3.c:26604:7
    #3 0x7f7a97febcb8 in sqlite3Malloc third_party/sqlite/amalgamation/sqlite3.c:26634:5
    #4 0x7f7a980aa14c in saveCursorKey third_party/sqlite/amalgamation/sqlite3.c:63688:12
    #5 0x7f7a980a9bbd in saveCursorPosition third_party/sqlite/amalgamation/sqlite3.c:63724:8
    #6 0x7f7a980a987a in saveCursorsOnList third_party/sqlite/amalgamation/sqlite3.c:63783:18
    #7 0x7f7a980a8526 in saveAllCursors third_party/sqlite/amalgamation/sqlite3.c:63765:18
    #8 0x7f7a980fff67 in sqlite3BtreeInsert third_party/sqlite/amalgamation/sqlite3.c:71402:10
    #9 0x7f7a980dcff3 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:88410:10
    #10 0x7f7a98014ccc in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81445:10
    #11 0x7f7a980013ee in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81508:16
    #12 0x7f7a98027021 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118093:12
    #13 0x55ab529dfc69 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5

Deleted: clusterfuzz-testcase-minimized-sqlite3_dbfuzz2_fuzzer-6275221577400320 2.5 KB

clusterfuzz-testcase-minimized-sqlite3_dbfuzz2_fuzzer-6275221577400320 2.5 KB View Download

Richard and Dan, can you please take a look at this?

dbfuzz2 test case and stack trace above. My previous comment is wrong, the crash still reproduces with our pending backports.

Fixed by check-in https://www.sqlite.org/src/info/2737564929e86ead

Thank you very much for the quick fix, Richard! I am backporting this.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/846fd43e9412f97c0f0732807537fa3981c38ee3

commit 846fd43e9412f97c0f0732807537fa3981c38ee3
Author: Victor Costan <pwnall@chromium.org>
Date: Tue Jan 22 21:15:35 2019

sqlite: Backport a fourth round of bugfixes.

Bug:  914028 ,  914614 , 917075, 917786,  921417 , 921684, 922399, 922844, 922849,  923196 ,  923715 ,  923743 ,  923902 
Change-Id: Id642f518153293afa8787b70692a97560dc4691b
Reviewed-on: https://chromium-review.googlesource.com/c/1424164
Reviewed-by: Chris Mumford <cmumford@google.com>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Auto-Submit: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#624921}
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/amalgamation/rename_exports.h
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/amalgamation/sqlite3.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/amalgamation/sqlite3.h
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0001-Modify-default-VFS-to-support-WebDatabase.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0002-Virtual-table-supporting-recovery-of-corrupted-datab.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0003-Custom-shell.c-helpers-to-load-Chromium-s-ICU-data.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0004-fts3-Disable-fts3_tokenizer-and-fts4.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0005-fuchsia-Use-dot-file-locking-for-sqlite.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0006-Fix-dbfuzz2-for-Clusterfuzz.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0007-Fix-the-Makefile-so-that-it-honors-CFLAGS-when-build.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0008-Adjustments-to-the-page-cache-to-try-to-avoid-harmle.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0009-Remove-an-ALWAYS-from-a-branch-that-is-not-always-ta.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0010-Fix-a-problem-with-nested-CTEs-with-the-same-table.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0011-Fix-detection-of-self-referencing-rows-in-foreign-ke.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0012-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0013-Fix-for-an-assert-that-could-be-false.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0014-Fix-another-problem-found-by-Matthew-Denton-s-new-fu.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0015-Report-a-new-corruption-case.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0016-Avoid-a-buffer-overread-in-ptrmapPutOvflPtr.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0017-Improved-detection-of-cell-corruption-in-sqlite3Vdbe.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0018-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0019-Prevent-integer-overflow-from-leading-to-buffer-over.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0020-Add-extra-tests-for-database-corruption-inside-defra.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0021-Fix-an-off-by-one-error-on-a-Goto-in-the-code-genera.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0022-Fix-overread-on-corrupted-btree-key.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0023-Avoid-buffer-overreads-on-corrupted-database-files.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0024-Fix-integer-overflow-while-running-PRAGMA-integrity_.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0025-Improved-corruption-handling-while-balancing-pages.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0026-Avoid-reading-off-the-front-of-a-page-buffer-when-ba.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0027-Fix-MSAN-error-in-sqlite3VdbeRecordUnpack-on-a-corru.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0028-Fix-deleting-a-B-tree-entry-in-a-corrupt-database.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0029-Fix-sorting-results-with-SRT_EphemTab-and-a-LIMIT-cl.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0030-Fix-detection-of-orphaned-and-malformed-autoindexes.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0031-Fix-potential-buffer-overread.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0032-Fix-handling-negative-number-of-pages-database-field.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0033-Fix-corner-case-in-inserting-null-into-integer-prima.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0034-Fix-insert-infinite-recursion-on-some-corrupted-data.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0035-Fix-null-pointer-dereference-in-sqlite3ExprCompare.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0036-Fix-NEVER-that-is-sometimes-true.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0037-Initialize-extra-bytes-allocated-for-saved-cursor-po.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0038-Fix-leaks-caused-by-circular-references-in-vtable-sh.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0039-Fix-overly-large-malloc-on-btree-corruption.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0040-Fix-null-pointer-access-on-corrupted-index-key.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/ext/fts3/fts3_write.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/ext/fts5/fts5_index.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/ext/fts5/fts5_storage.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/ext/rtree/rtree.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/btree.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/build.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/expr.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/insert.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/pcache1.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/prepare.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/sqlite.h.in
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/sqliteInt.h
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/trigger.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/vdbeaux.c

ClusterFuzz has detected this issue as fixed in range 624919:624923.

Detailed report: https://clusterfuzz.com/testcase?key=6275221577400320

Fuzzer: libFuzzer_sqlite3_dbfuzz2_fuzzer
Fuzz target binary: sqlite3_dbfuzz2_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  sqlite3VdbeRecordUnpack
  btreeMoveto
  btreeRestoreCursorPosition
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=622610:622627
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=624919:624923

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6275221577400320

See https://www.chromium.org/developers/testing/memorysanitizer#TOC-Reproducing-ClusterFuzz-Bugs for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6275221577400320 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.