Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Richard and Dan, can you please take a look?

dbfuzz2 test case attached. Stack trace below.

Removed security labels because dbfuzz2 targets database corruption handling, and its test cases can only be turned into attacks with local disk access, which is outside of Chrome's threat model.

==2269625==ERROR: AddressSanitizer: SEGV on unknown address 0xbebe0004 (pc 0xf7d3b927 bp 0xffd76c28 sp 0xffd76ba0 T0)
==2269625==The signal is caused by a READ memory access.
SCARINESS: 20 (wild-addr-read)
    #0 0xf7d3b926 in vdbeCompareMemString third_party/sqlite/amalgamation/sqlite3.c
    #1 0xf7d41e68 in sqlite3VdbeRecordCompareWithSkip third_party/sqlite/amalgamation/sqlite3.c:80187:16
    #2 0xf7d40a28 in vdbeRecordCompareInt third_party/sqlite/amalgamation/sqlite3.c:80356:11
    #3 0xf7d2b40f in sqlite3BtreeMovetoUnpacked third_party/sqlite/amalgamation/sqlite3.c
    #4 0xf7d3cf23 in btreeMoveto third_party/sqlite/amalgamation/sqlite3.c:63834:8
    #5 0xf7d3cb9a in btreeRestoreCursorPosition third_party/sqlite/amalgamation/sqlite3.c:63858:8
    #6 0xf7d432a3 in btreeNext third_party/sqlite/amalgamation/sqlite3.c:68628:10
    #7 0xf7d07f07 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:88333:8
    #8 0xf7c97b5f in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81445:10
    #9 0xf7c8c36c in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81508:16
    #10 0xf7ca2bf7 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118093:12
    #11 0x566f40ae in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5

Deleted: clusterfuzz-testcase-minimized-sqlite3_dbfuzz2_fuzzer-6329377709228032 2.5 KB

clusterfuzz-testcase-minimized-sqlite3_dbfuzz2_fuzzer-6329377709228032 2.5 KB View Download

I think https://www.sqlite.org/src/info/058a8006dceda78a is the correct fix for this.

Thank you very much for fixing this so quickly, Richard! I am backporting the fix.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/846fd43e9412f97c0f0732807537fa3981c38ee3

commit 846fd43e9412f97c0f0732807537fa3981c38ee3
Author: Victor Costan <pwnall@chromium.org>
Date: Tue Jan 22 21:15:35 2019

sqlite: Backport a fourth round of bugfixes.

Bug:  914028 ,  914614 , 917075, 917786,  921417 , 921684, 922399, 922844, 922849,  923196 ,  923715 ,  923743 ,  923902 
Change-Id: Id642f518153293afa8787b70692a97560dc4691b
Reviewed-on: https://chromium-review.googlesource.com/c/1424164
Reviewed-by: Chris Mumford <cmumford@google.com>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Auto-Submit: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#624921}
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/amalgamation/rename_exports.h
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/amalgamation/sqlite3.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/amalgamation/sqlite3.h
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0001-Modify-default-VFS-to-support-WebDatabase.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0002-Virtual-table-supporting-recovery-of-corrupted-datab.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0003-Custom-shell.c-helpers-to-load-Chromium-s-ICU-data.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0004-fts3-Disable-fts3_tokenizer-and-fts4.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0005-fuchsia-Use-dot-file-locking-for-sqlite.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0006-Fix-dbfuzz2-for-Clusterfuzz.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0007-Fix-the-Makefile-so-that-it-honors-CFLAGS-when-build.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0008-Adjustments-to-the-page-cache-to-try-to-avoid-harmle.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0009-Remove-an-ALWAYS-from-a-branch-that-is-not-always-ta.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0010-Fix-a-problem-with-nested-CTEs-with-the-same-table.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0011-Fix-detection-of-self-referencing-rows-in-foreign-ke.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0012-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0013-Fix-for-an-assert-that-could-be-false.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0014-Fix-another-problem-found-by-Matthew-Denton-s-new-fu.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0015-Report-a-new-corruption-case.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0016-Avoid-a-buffer-overread-in-ptrmapPutOvflPtr.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0017-Improved-detection-of-cell-corruption-in-sqlite3Vdbe.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0018-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0019-Prevent-integer-overflow-from-leading-to-buffer-over.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0020-Add-extra-tests-for-database-corruption-inside-defra.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0021-Fix-an-off-by-one-error-on-a-Goto-in-the-code-genera.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0022-Fix-overread-on-corrupted-btree-key.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0023-Avoid-buffer-overreads-on-corrupted-database-files.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0024-Fix-integer-overflow-while-running-PRAGMA-integrity_.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0025-Improved-corruption-handling-while-balancing-pages.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0026-Avoid-reading-off-the-front-of-a-page-buffer-when-ba.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0027-Fix-MSAN-error-in-sqlite3VdbeRecordUnpack-on-a-corru.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0028-Fix-deleting-a-B-tree-entry-in-a-corrupt-database.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0029-Fix-sorting-results-with-SRT_EphemTab-and-a-LIMIT-cl.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0030-Fix-detection-of-orphaned-and-malformed-autoindexes.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0031-Fix-potential-buffer-overread.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0032-Fix-handling-negative-number-of-pages-database-field.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0033-Fix-corner-case-in-inserting-null-into-integer-prima.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0034-Fix-insert-infinite-recursion-on-some-corrupted-data.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0035-Fix-null-pointer-dereference-in-sqlite3ExprCompare.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0036-Fix-NEVER-that-is-sometimes-true.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0037-Initialize-extra-bytes-allocated-for-saved-cursor-po.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0038-Fix-leaks-caused-by-circular-references-in-vtable-sh.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0039-Fix-overly-large-malloc-on-btree-corruption.patch
[add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0040-Fix-null-pointer-access-on-corrupted-index-key.patch
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/ext/fts3/fts3_write.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/ext/fts5/fts5_index.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/ext/fts5/fts5_storage.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/ext/rtree/rtree.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/btree.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/build.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/expr.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/insert.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/pcache1.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/prepare.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/sqlite.h.in
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/sqliteInt.h
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/trigger.c
[modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/vdbeaux.c

ClusterFuzz has detected this issue as fixed in range 624910:624934.

Detailed report: https://clusterfuzz.com/testcase?key=6329377709228032

Fuzzer: libFuzzer_sqlite3_dbfuzz2_fuzzer
Fuzz target binary: sqlite3_dbfuzz2_fuzzer
Job Type: x86_libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0xbebe0004
Crash State:
  vdbeCompareMemString
  sqlite3VdbeRecordCompareWithSkip
  vdbeRecordCompareInt
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Fixed: https://clusterfuzz.com/revisions?job=x86_libfuzzer_chrome_asan&range=624910:624934

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6329377709228032

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6329377709228032 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.