sqlite3 interactive shell failed assertions and segmentation faults

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

sqlite3 interactive shell failed assertions and segmentation faults

Ryan Whitworth
Hello all,

I was using American Fuzzy Lop (afl-fuzz) to fuzz test stdin to the sqlite3
interactive shell.  AFL found a few inputs that cause segmentation faults
(mostly due to failed assertions, I think?).  Is this sort of thing worth
investigating further or a non-issue?

GDB backtrace details and input files can be found here:
https://github.com/rwhitworth/sqlite-fuzz/tree/master/2017-06-23-sqlite3.
Tests can be re-run via 'sqlite3 -bail < id_filename'

These inputs were found using a tarball download of the source from
2017-05-31 and also reconfirmed against a download on 2017-06-23.

Thanks for your time,
Ryan Whitworth
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: sqlite3 interactive shell failed assertions and segmentation faults

Simon Slavin-3


On 24 Jun 2017, at 2:29am, Ryan Whitworth <[hidden email]> wrote:

> GDB backtrace details and input files can be found here:
> https://github.com/rwhitworth/sqlite-fuzz/tree/master/2017-06-23-sqlite3.

For those interested, all the faults found seem to concern dot commands.  Here is an example command which was found to cause problems:

.m i 000\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\0000\\00000000000000\\0\\\\\\\\\\\\\\\\\\\\\\\\\\\\0\\\\\\\\\\000000"0

The next two lines constitute another example:

.h 0
.m i 0""""""""""0

I think it’s worth repeating that, as Ryan himself wrote, these faults were found in the SQLite command shell tool, not in SQLite itself.  SQLite does not recognise the dot commands found here so it would not crash trying to process them.  Although there’s an opportunity to examine the command-line shell here, those using the SQLite API should not be alarmed purely on the basis of this report.

Simon.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: sqlite3 interactive shell failed assertions and segmentation faults

Richard Hipp-3
In reply to this post by Ryan Whitworth
Thanks for the report.

Thanks to Simon for verifying that these are all associated with the
command-line shell only and not with the SQLite core.

Note to Ryan:  Please make sure your fuzzer  is running inside a
sandbox, in case the fuzzer discovers pernicious dot-commands like
".sy rm -rf ~"

On 6/23/17, Ryan Whitworth <[hidden email]> wrote:

> Hello all,
>
> I was using American Fuzzy Lop (afl-fuzz) to fuzz test stdin to the sqlite3
> interactive shell.  AFL found a few inputs that cause segmentation faults
> (mostly due to failed assertions, I think?).  Is this sort of thing worth
> investigating further or a non-issue?
>
> GDB backtrace details and input files can be found here:
> https://github.com/rwhitworth/sqlite-fuzz/tree/master/2017-06-23-sqlite3.
> Tests can be re-run via 'sqlite3 -bail < id_filename'
>
> These inputs were found using a tarball download of the source from
> 2017-05-31 and also reconfirmed against a download on 2017-06-23.
>
> Thanks for your time,
> Ryan Whitworth
> [hidden email]
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>


--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Loading...