Bug Report: Crash When Loading Short Journal

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug Report: Crash When Loading Short Journal

Natalie Silvanovich
Hi,

I'm experiencing a crash when loading a database with a corrupt journal
file. The error occurs in readMasterJournal in the following code:

│48741     if( SQLITE_OK!=(rc = sqlite3OsFileSize(pJrnl, &szJ))

│48742      || szJ<16

│48743      || SQLITE_OK!=(rc = read32bits(pJrnl, szJ-16, &len))

│48744      || len>=nMaster

│48745      || len==0

│48746      || SQLITE_OK!=(rc = read32bits(pJrnl, szJ-12, &cksum))

│48747      || SQLITE_OK!=(rc = sqlite3OsRead(pJrnl, aMagic, 8, szJ-8))
                                        │
│48748      || memcmp(aMagic, aJournalMagic, 8)

│48749      || SQLITE_OK!=(rc = sqlite3OsRead(pJrnl, zMaster, len,
szJ-16-len))

if len is longer than the file size szJ, szJ-16-len on line 48749 will be a
very large number, that will then be converted to a very negative number
when passed to unixRead. This will cause the check:

 if( offset<pFile->mmapSize ){

to succeed even though pFile->mmapSize is null, leading to a crash.

I don't believe this is a security issue, because len can only be between 0
and 512 on most systems, but it can get an app that relies on SQLite stuck
in a reset loop.

A journal that causes this issue is attached.

To reproduce, copy the attached files into the same folder, and open the
database, for example:

sqlitebrowser EmailProviderBody.db

Thanks,

Natalie
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Bug Report: Crash When Loading Short Journal

Richard Hipp-3
On 9/6/17, Natalie Silvanovich <[hidden email]> wrote:
> I'm experiencing a crash when loading a database with a corrupt journal
> file.

The chances of hitting the problem by accident are remote - so much so
that it is impossible in practice.  This problem can only come up if
an adversary deliberately crafts a malicious rollback journal and
tricks an application into using it.

In any event, the problem is now fixed on trunk.  Thanks for the
concise and clear bug report!

--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users