Out of bounds memory reads triggered by sqlite tests (testfixture/fuzzcheck)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Out of bounds memory reads triggered by sqlite tests (testfixture/fuzzcheck)

Hanno Böck
Hi,

When compiling sqlite with address sanitizer (-fsanitize=address in
CFLAGS/LDFLAGS) and running the tests I get two memory safety
violations.

I've attached the ASAN error messages / stack traces. Both are out of
bounds memory reads, in testfixture and fuzzcheck.

I strongly recommend that the test should be run routinely with address
sanitizer enabled. Particularly Fuzz-testing becomes much more
effective with it.

--
Hanno Böck
https://hboeck.de/

mail/jabber: [hidden email]
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Out of bounds memory reads triggered by sqlite tests (testfixture/fuzzcheck)

Hanno Böck
It seems the mailing list strips out the attachments.
Pasting the content of the ASAN errors in here:

-------------------------------------------

==9547==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000007fe73e at pc 0x4ecfea bp 0x7ffc7f568090 sp 0x7ffc7f568080
READ of size 2 at 0x0000007fe73e thread T0
    #0 0x4ecfe9 in sqlite3Fts5UnicodeCategory /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:217750
    #1 0x5724d6 in sqlite3Fts5UnicodeCategory /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:204505
    #2 0x5724d6 in fts5ExprIsAlnum /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:204505
    #3 0x6d8eac in sqlite3VdbeExec /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:89966
    #4 0x6f2c49 in sqlite3Step /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:81043
    #5 0x6f2c49 in sqlite3_step /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:81106
    #6 0x4c1694 in dbEvalStep /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/src/tclsqlite.c:1598
    #7 0x4c5b5f in DbObjCmd /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/src/tclsqlite.c:2573
    #8 0x7fcca39c95db in TclNRRunCallbacks (/usr/lib64/libtcl8.6.so+0xd35db)
    #9 0x7fcca3bfc5a5 (/usr/lib64/libtcl8.6.so+0x3065a5)
    #10 0x7fcca3c02177 (/usr/lib64/libtcl8.6.so+0x30c177)
    #11 0x7fcca39c95db in TclNRRunCallbacks (/usr/lib64/libtcl8.6.so+0xd35db)
    #12 0x7fcca3a1533c (/usr/lib64/libtcl8.6.so+0x11f33c)
    #13 0x7fcca39c95db in TclNRRunCallbacks (/usr/lib64/libtcl8.6.so+0xd35db)
    #14 0x7fcca39cfc92 (/usr/lib64/libtcl8.6.so+0xd9c92)
    #15 0x7fcca39d08e2 in Tcl_EvalEx (/usr/lib64/libtcl8.6.so+0xda8e2)
    #16 0x7fcca39d0904 in Tcl_Eval (/usr/lib64/libtcl8.6.so+0xda904)
    #17 0x7fcca39d1db7 in Tcl_GlobalEval (/usr/lib64/libtcl8.6.so+0xdbdb7)
    #18 0x408d93 in main /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/src/tclsqlite.c:3780
    #19 0x7fcca33824ca in __libc_start_main (/lib64/libc.so.6+0x234ca)
    #20 0x408fa9 in _start (/var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/testfixture+0x408fa9)

0x0000007fe73e is located 2 bytes to the left of global variable 'aFts5UnicodeBlock' from 'sqlite3.c' (0x7fe740) of size 34
0x0000007fe73e is located 52 bytes to the right of global variable 'aFts5UnicodeMap' from 'sqlite3.c' (0x7fd940) of size 3530
SUMMARY: AddressSanitizer: global-buffer-overflow /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:217750 sqlite3Fts5UnicodeCategory
Shadow bytes around the buggy address:
  0x0000800f7c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800f7ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800f7cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800f7cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800f7cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800f7ce0: 00 02 f9 f9 f9 f9 f9[f9]00 00 00 00 02 f9 f9 f9
  0x0000800f7cf0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800f7d00: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0000800f7d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800f7d20: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 f9
  0x0000800f7d30: f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==9547==ABORTING


-------------------------------------------

=================================================================
==9454==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180005277a2 at pc 0x565790 bp 0x7ffc663f6500 sp 0x7ffc663f64f0
READ of size 4 at 0x6180005277a2 thread T0
    #0 0x56578f in sqlite3Get4byte /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:31007
    #1 0x56578f in ptrmapPutOvflPtr /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:64015
    #2 0x5659f9 in ptrmapPutOvflPtr /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:64011
    #3 0x5659f9 in setChildPtrmaps /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:66136
    #4 0x566087 in copyNodeContent /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:69875
    #5 0x570017 in copyNodeContent /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:69706
    #6 0x570017 in balance_deeper /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:70697
    #7 0x570017 in balance /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:70760
    #8 0x5798c0 in sqlite3BtreeInsert /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:71199
    #9 0x5e145a in sqlite3VdbeExec /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:87292
    #10 0x5f80d8 in sqlite3Step /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:81043
    #11 0x5f80d8 in sqlite3_step /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:81106
    #12 0x419538 in runSql /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/test/fuzzcheck.c:667
    #13 0x4171bf in main /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/test/fuzzcheck.c:1276
    #14 0x7fcbc8c6e4ca in __libc_start_main (/lib64/libc.so.6+0x234ca)
    #15 0x418429 in _start (/var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/fuzzcheck+0x418429)

0x6180005277a2 is located 26 bytes to the right of 776-byte region [0x618000527480,0x618000527788)
allocated by thread T0 here:
    #0 0x7fcbc92394d2 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.4/libasan.so.1+0x574d2)
    #1 0x4e2410 in sqlite3MemMalloc /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:22576

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/dev-db/sqlite-3.25.3/work/sqlite-src-3250300-abi_x86_64.amd64/sqlite3.c:31007 sqlite3Get4byte
Shadow bytes around the buggy address:
  0x0c308009cea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c308009ceb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c308009cec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c308009ced0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c308009cee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c308009cef0: 00 fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c308009cf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c308009cf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c308009cf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c308009cf30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c308009cf40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==9454==ABORTING


-------------------------------------------



--
Hanno Böck
https://hboeck.de/

mail/jabber: [hidden email]
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Out of bounds memory reads triggered by sqlite tests (testfixture/fuzzcheck)

Hanno Böck
It seems these have now been fixed with these commits:
https://www.sqlite.org/src/info/4e38f27b55030e90
https://www.sqlite.org/src/info/a62e6b593b59eae4

--
Hanno Böck
https://hboeck.de/

mail/jabber: [hidden email]
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users