Another CLI problem
(1.1) By Yu Liang (LY1598773890) on 2022-10-27 18:27:54 edited from 1.0 [source]
The latest SQLite3
crashes when executing the query from this link: PoC LINK. The PoC is just a four-lines query, but it contains a special character in the first line that I cannot copy and paste into this report. Therefore, I have the share the POC file in the Google Drive.
To trigger this bug, run the CLI command: sqlite3 < poc
.
Here is some debug information from the crash, from SQLite3
version: 7450a561f8.
Stack Trace:
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x608530 (<__libc_csu_init>: endbr64)
RCX: 0x0
RDX: 0x0
RSI: 0x4
RDI: 0x7ffff7d6e6a0 --> 0xfbad2a84
RBP: 0x7fffffffb8c0 --> 0x7fffffffbb60 --> 0x7fffffffbca0 --> 0x7fffffffbd30 --> 0x7fffffffc5e0 --> 0x7fffffffc660 (--> ...)
RSP: 0x7fffffffb890 --> 0x0
RIP: 0x437c4c (<utf8_width_print+76>: cmp BYTE PTR [rax+rcx*1],0x0)
R8 : 0x6a12e0 --> 0x100000001
R9 : 0x6a92d0 --> 0x18b0
R10: 0x69f010 --> 0x1
R11: 0x7ffff7d6dbe0 --> 0x6b62c0 --> 0x0
R12: 0x403750 (<_start>: endbr64)
R13: 0x7fffffffdde0 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x437c3d <utf8_width_print+61>: mov DWORD PTR [rbp-0x1c],0x0
0x437c44 <utf8_width_print+68>: mov rax,QWORD PTR [rbp-0x18]
0x437c48 <utf8_width_print+72>: movsxd rcx,DWORD PTR [rbp-0x1c]
=> 0x437c4c <utf8_width_print+76>: cmp BYTE PTR [rax+rcx*1],0x0
0x437c50 <utf8_width_print+80>: je 0x437cd2 <utf8_width_print+210>
0x437c56 <utf8_width_print+86>: mov rax,QWORD PTR [rbp-0x18]
0x437c5a <utf8_width_print+90>: movsxd rcx,DWORD PTR [rbp-0x1c]
0x437c5e <utf8_width_print+94>: movsx edx,BYTE PTR [rax+rcx*1]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb890 --> 0x0
0008| 0x7fffffffb898 --> 0x400000004
0016| 0x7fffffffb8a0 --> 0x0
0024| 0x7fffffffb8a8 --> 0x0
0032| 0x7fffffffb8b0 --> 0x400008000
0040| 0x7fffffffb8b8 --> 0x7ffff7d6e6a0 --> 0xfbad2a84
0048| 0x7fffffffb8c0 --> 0x7fffffffbb60 --> 0x7fffffffbca0 --> 0x7fffffffbd30 --> 0x7fffffffc5e0 --> 0x7fffffffc660 (--> ...)
0056| 0x7fffffffb8c8 --> 0x435e5e (<shell_callback+654>: mov ecx,DWORD PTR [rbp-0x34])
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000437c4c in utf8_width_print (pOut=0x7ffff7d6e6a0 <_IO_2_1_stdout_>, w=0x4, zUtf=0x0) at shell.c:570
570 for(i=n=0; zUtf[i]; i++){
gdb-peda$ bt
#0 0x0000000000437c4c in utf8_width_print (pOut=0x7ffff7d6e6a0 <_IO_2_1_stdout_>, w=0x4, zUtf=0x0) at shell.c:570
#1 0x0000000000435e5e in shell_callback (pArg=0x7fffffffc7c0, nArg=0x4, azArg=0x6a12c0, azCol=0x6a12a0, aiType=0x6a12e0) at shell.c:13385
#2 0x000000000043a466 in exec_prepared_stmt (pArg=0x7fffffffc7c0, pStmt=0x6b2f30) at shell.c:14898
#3 0x0000000000418607 in shell_exec (pArg=0x7fffffffc7c0, zSql=0x6a7980 "EXPLAIN QUERY PLAN SELECT 0", pzErrMsg=0x7fffffffc5b0) at shell.c:15174
#4 0x000000000043e55f in runOneSqlLine (p=0x7fffffffc7c0, zSql=0x6a7980 "EXPLAIN QUERY PLAN SELECT 0", in=0x7ffff7d6d980 <_IO_2_1_stdin_>, startline=0x3)
at shell.c:22787
#5 0x00000000004193aa in process_input (p=0x7fffffffc7c0) at shell.c:22970
#6 0x000000000040ad67 in main (argc=0x1, argv=0x7fffffffdde8) at shell.c:23806
#7 0x00007ffff7ba5083 in __libc_start_main (main=0x408e40 <main>, argc=0x1, argv=0x7fffffffdde8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffddd8) at ../csu/libc-start.c:308
#8 0x000000000040377e in _start ()
Bisecting log:
bisect complete
1 BAD 2022-10-27 14:41:38 a608d584a8a68eba
3 BAD 2022-06-22 18:33:21 5247df05991df979
4 BAD 2022-05-12 17:09:33 7a2ac303d1436a42
5 BAD 2022-04-11 11:25:28 e8c00442d2daedec
6 BAD 2022-04-02 20:08:48 8a3a3486358d076c
7 BAD 2022-03-30 17:36:40 9248ce50f57fb9c4
9 BAD 2022-03-29 13:16:32 d0966d1bdd474e27
10 BAD 2022-03-28 18:34:40 310a3e102d8eedf9
11 GOOD 2022-03-28 17:34:46 06928e745c7bcb26 CURRENT
8 GOOD 2022-03-28 14:56:47 daa924af98725334
2 GOOD 2022-03-21 20:08:13 c7a2047e93df36c1
Looking forward to your reply. Thank you! :-)
(2) By Tim Streater (Clothears) on 2022-10-27 18:12:14 in reply to 1.0 [link] [source]
Third-Mini% hexdump -C poc
00000000 2e 00 0a 65 78 70 0a 2e 6c 69 6d 69 74 20 6c 65 |...exp..limit le|
00000010 20 30 0a 45 58 50 4c 41 49 4e 20 51 55 45 52 59 | 0.EXPLAIN QUERY|
00000020 20 50 4c 41 4e 20 53 45 4c 45 43 54 20 30 | PLAN SELECT 0|
0000002e Third-Mini% sqlite3
CLI sqlite3 3.39.2 segfaults with this file.
(3) By Richard Hipp (drh) on 2022-10-27 18:25:40 in reply to 1.0 [link] [source]
POC that uses no special characters:
.explain .limit length 0 EXPLAIN QUERY PLAN SELECT 0;
Fixed on trunk. Thank you for the bug report.
(4) By Yu Liang (LY1598773890) on 2022-10-27 18:35:17 in reply to 3 [link] [source]
Thank you Richard for the super quick reply and super quick fix.
Appreciate with the response!