sqlite3Init null pointer bug

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

sqlite3Init null pointer bug

Xingwei Lin
Hi,

I found a null pointer access problem in *sqlite3Init *function in version
3.26.0.

The poc is simple:

> .open .

.selftest


The GDB debug traces are:

> #0  0x000055d76316ae12 in sqlite3Init (db=0x55d76509de18,
> pzErrMsg=0x7fffa3d64ac0) at sqlite3.c:123082

#1  0x000055d7631a22d7 in sqlite3_table_column_metadata (db=0x55d76509de18,
> zDbName=0x55d7631fa22e "main", zTableName=0x55d763200574 "selftest",
> zColumnName=0x0, pzDataType=0x0, pzCollSeq=0x0, pNotNull=0x0,
> pPrimaryKey=0x0, pAutoinc=0x0) at sqlite3.c:156312

#2  0x000055d7630e73f3 in do_meta_command (zLine=0x55d765090970
> ".selftest", p=0x7fffa3d68090) at shell.c:14816

#3  0x000055d7630ea430 in process_input (p=0x7fffa3d68090,
> in=0x55d76506f6d0) at shell.c:15712

#4  0x000055d7630e669c in do_meta_command (zLine=0x55d7650909f0 ".read",
> p=0x7fffa3d68090) at shell.c:14369

#5  0x000055d7630ea430 in process_input (p=0x7fffa3d68090, in=0x0) at
> shell.c:15712

#6  0x000055d7630ec173 in main (argc=1, argv=0x7fffa3d69668) at
> shell.c:16479


When we invoke "*.open .*", sqlite3 will fail to open "." database.
However, sqlite3 will still create db("struct sqlite3") object without full
initialization and not destroy it in "*shell.c:11306*".

Then when we invoke "*.selftest"*, when the routine go to *sqlite3Init*
function, it will call "*ENC(db) = SCHEMA_ENC(db)*;",
which is a macro: "*#define SCHEMA_ENC(db) ((db)->aDb[0].pSchema->enc)*".

"SCHEMA_ENC(db)" will access "pSchema" field, which has not been
initialized yet for the failure create "." database.

Attach is the poc sql file.
I used the following command:

./sqlite3

sqlite >.read crash.sql


--
Best regards,
Xingwei Lin
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite3Init null pointer bug

Richard Hipp-3
This is an issue with the CLI, not with the SQLite core.  It is fixed
here: https://www.sqlite.org/src/info/d7f55c62c3fa053b

On 1/4/19, Xingwei Lin <[hidden email]> wrote:

> Hi,
>
> I found a null pointer access problem in *sqlite3Init *function in version
> 3.26.0.
>
> The poc is simple:
>
>> .open .
>
> .selftest
>
>
> The GDB debug traces are:
>
>> #0  0x000055d76316ae12 in sqlite3Init (db=0x55d76509de18,
>> pzErrMsg=0x7fffa3d64ac0) at sqlite3.c:123082
>
> #1  0x000055d7631a22d7 in sqlite3_table_column_metadata (db=0x55d76509de18,
>> zDbName=0x55d7631fa22e "main", zTableName=0x55d763200574 "selftest",
>> zColumnName=0x0, pzDataType=0x0, pzCollSeq=0x0, pNotNull=0x0,
>> pPrimaryKey=0x0, pAutoinc=0x0) at sqlite3.c:156312
>
> #2  0x000055d7630e73f3 in do_meta_command (zLine=0x55d765090970
>> ".selftest", p=0x7fffa3d68090) at shell.c:14816
>
> #3  0x000055d7630ea430 in process_input (p=0x7fffa3d68090,
>> in=0x55d76506f6d0) at shell.c:15712
>
> #4  0x000055d7630e669c in do_meta_command (zLine=0x55d7650909f0 ".read",
>> p=0x7fffa3d68090) at shell.c:14369
>
> #5  0x000055d7630ea430 in process_input (p=0x7fffa3d68090, in=0x0) at
>> shell.c:15712
>
> #6  0x000055d7630ec173 in main (argc=1, argv=0x7fffa3d69668) at
>> shell.c:16479
>
>
> When we invoke "*.open .*", sqlite3 will fail to open "." database.
> However, sqlite3 will still create db("struct sqlite3") object without full
> initialization and not destroy it in "*shell.c:11306*".
>
> Then when we invoke "*.selftest"*, when the routine go to *sqlite3Init*
> function, it will call "*ENC(db) = SCHEMA_ENC(db)*;",
> which is a macro: "*#define SCHEMA_ENC(db) ((db)->aDb[0].pSchema->enc)*".
>
> "SCHEMA_ENC(db)" will access "pSchema" field, which has not been
> initialized yet for the failure create "." database.
>
> Attach is the poc sql file.
> I used the following command:
>
> ./sqlite3
>
> sqlite >.read crash.sql
>
>
> --
> Best regards,
> Xingwei Lin
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>


--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users