Heap buffer overflow in sqlite3StrICmp function

(1) By Song Liu (songliu) on 2023-04-14 06:56:37 [source]

I found a heap buffer overflow while SQLite (latest, bb2b5ab172f0751c) executes the following queries.

CREATE TABLE v0 (c1 INTEGER PRIMARY KEY ON CONFLICT IGNORE);
CREATE VIEW v2 AS SELECT c1 FROM v0 a WHERE 0;
0;
CREATE VIEW v10 AS SELECT 0 FROM v2 A WHERE EXISTS (SELECT 0 FROM v0 JOIN v0 L JOIN v2 L JOIN v2 a NATURAL JOIN (SELECT c1 ORDER BY 4000000000) JOIN v0 a ORDER BY +sum(0) OVER (ORDER BY randomblob(0))) ORDER BY 1;
SELECT 0 FROM v10 A, v0 a0 WHERE NOT json_quote(a0.c1);

Here is the result of bisecting:

 10 BAD     2022-12-14 17:46:35 27655c9353620aa5
 11 GOOD    2022-12-14 16:40:17 349bb28f614bc210 CURRENT

Here is the ASAN report:

==1214==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000017f8 at pc 0x564884eafd50 bp 0x7ffef8c7d680 sp 0x7ffef8c7d670
READ of size 1 at 0x6020000017f8 thread T0
    #0 0x564884eafd4f in sqlite3StrICmp /home/vancir/testbug/sqlite_bisect/sqlite3.c:34117
    #1 0x564884eb5ce0 in findElementWithHash /home/vancir/testbug/sqlite_bisect/sqlite3.c:35779
    #2 0x564884eb61aa in sqlite3HashFind /home/vancir/testbug/sqlite_bisect/sqlite3.c:35829
    #3 0x56488506d808 in findCollSeqEntry /home/vancir/testbug/sqlite_bisect/sqlite3.c:123798
    #4 0x56488506dabe in sqlite3FindCollSeq /home/vancir/testbug/sqlite_bisect/sqlite3.c:123854
    #5 0x56488500098c in sqlite3ExprCollSeq /home/vancir/testbug/sqlite_bisect/sqlite3.c:106361
    #6 0x56488500167d in sqlite3BinaryCompareCollSeq /home/vancir/testbug/sqlite_bisect/sqlite3.c:106534
    #7 0x5648850017ba in sqlite3ExprCompareCollSeq /home/vancir/testbug/sqlite_bisect/sqlite3.c:106552
    #8 0x56488511c7b9 in termIsEquivalence /home/vancir/testbug/sqlite_bisect/sqlite3.c:156595
    #9 0x56488511ed78 in exprAnalyze /home/vancir/testbug/sqlite_bisect/sqlite3.c:156861
    #10 0x564885123bc1 in sqlite3WhereExprAnalyze /home/vancir/testbug/sqlite_bisect/sqlite3.c:157483
    #11 0x56488514f073 in sqlite3WhereBegin /home/vancir/testbug/sqlite_bisect/sqlite3.c:163521
    #12 0x5648850df67d in sqlite3Select /home/vancir/testbug/sqlite_bisect/sqlite3.c:146452
    #13 0x5648850dd14e in sqlite3Select /home/vancir/testbug/sqlite_bisect/sqlite3.c:146243
    #14 0x564885013fb5 in sqlite3CodeSubselect /home/vancir/testbug/sqlite_bisect/sqlite3.c:109525
    #15 0x56488501cbd2 in sqlite3ExprCodeTarget /home/vancir/testbug/sqlite_bisect/sqlite3.c:110798
    #16 0x56488501f3ae in sqlite3ExprCodeTemp /home/vancir/testbug/sqlite_bisect/sqlite3.c:111180
    #17 0x564885022917 in sqlite3ExprIfFalse /home/vancir/testbug/sqlite_bisect/sqlite3.c:111708
    #18 0x564885114002 in sqlite3WhereCodeOneLoopStart /home/vancir/testbug/sqlite_bisect/sqlite3.c:155424
    #19 0x5648851526a7 in sqlite3WhereBegin /home/vancir/testbug/sqlite_bisect/sqlite3.c:163937
    #20 0x5648850df67d in sqlite3Select /home/vancir/testbug/sqlite_bisect/sqlite3.c:146452
    #21 0x56488516be7b in yy_reduce /home/vancir/testbug/sqlite_bisect/sqlite3.c:171315
    #22 0x564885179b99 in sqlite3Parser /home/vancir/testbug/sqlite_bisect/sqlite3.c:172735
    #23 0x56488517f4b8 in sqlite3RunParser /home/vancir/testbug/sqlite_bisect/sqlite3.c:174035
    #24 0x5648850ad1b1 in sqlite3Prepare /home/vancir/testbug/sqlite_bisect/sqlite3.c:138508
    #25 0x5648850ada21 in sqlite3LockAndPrepare /home/vancir/testbug/sqlite_bisect/sqlite3.c:138583
    #26 0x5648850ae10e in sqlite3_prepare_v2 /home/vancir/testbug/sqlite_bisect/sqlite3.c:138669
    #27 0x564884e51a4a in shell_exec /home/vancir/testbug/sqlite_bisect/shell.c:19250
    #28 0x564884e802de in runOneSqlLine /home/vancir/testbug/sqlite_bisect/shell.c:26346
    #29 0x564884e81071 in process_input /home/vancir/testbug/sqlite_bisect/shell.c:26512
    #30 0x564884e84be2 in main /home/vancir/testbug/sqlite_bisect/shell.c:27425
    #31 0x7f1bda74b082 in __libc_start_main ../csu/libc-start.c:308
    #32 0x564884df92ed in _start (/home/vancir/testbug/sqlite3+0xf02ed)

0x6020000017f8 is located 0 bytes to the right of 8-byte region [0x6020000017f0,0x6020000017f8)
allocated by thread T0 here:
    #0 0x7f1bdac65c3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
    #1 0x564884e9134f in sqlite3MemRealloc /home/vancir/testbug/sqlite_bisect/sqlite3.c:25743
    #2 0x564884e94854 in sqlite3Realloc /home/vancir/testbug/sqlite_bisect/sqlite3.c:29658
    #3 0x564884e953d8 in dbReallocFinish /home/vancir/testbug/sqlite_bisect/sqlite3.c:29849
    #4 0x564884e95292 in sqlite3DbRealloc /home/vancir/testbug/sqlite_bisect/sqlite3.c:29832
    #5 0x564884e95424 in sqlite3DbReallocOrFree /home/vancir/testbug/sqlite_bisect/sqlite3.c:29866
    #6 0x5648850ba7ee in sqlite3SubqueryColumnTypes /home/vancir/testbug/sqlite_bisect/sqlite3.c:141174
    #7 0x5648850d4b16 in selectAddSubqueryTypeInfo /home/vancir/testbug/sqlite_bisect/sqlite3.c:145117
    #8 0x564884fef126 in sqlite3WalkSelect /home/vancir/testbug/sqlite_bisect/sqlite3.c:103895
    #9 0x5648850d4cd9 in sqlite3SelectAddTypeInfo /home/vancir/testbug/sqlite_bisect/sqlite3.c:145139
    #10 0x5648850d4ff7 in sqlite3SelectPrep /home/vancir/testbug/sqlite_bisect/sqlite3.c:145169
    #11 0x5648850bac3e in sqlite3ResultSetOfSelect /home/vancir/testbug/sqlite_bisect/sqlite3.c:141204
    #12 0x56488515b99c in sqlite3WindowRewrite /home/vancir/testbug/sqlite_bisect/sqlite3.c:165417
    #13 0x5648850db109 in sqlite3Select /home/vancir/testbug/sqlite_bisect/sqlite3.c:145954
    #14 0x564885013fb5 in sqlite3CodeSubselect /home/vancir/testbug/sqlite_bisect/sqlite3.c:109525
    #15 0x56488501cbd2 in sqlite3ExprCodeTarget /home/vancir/testbug/sqlite_bisect/sqlite3.c:110798
    #16 0x56488501f3ae in sqlite3ExprCodeTemp /home/vancir/testbug/sqlite_bisect/sqlite3.c:111180
    #17 0x564885022917 in sqlite3ExprIfFalse /home/vancir/testbug/sqlite_bisect/sqlite3.c:111708
    #18 0x564885114002 in sqlite3WhereCodeOneLoopStart /home/vancir/testbug/sqlite_bisect/sqlite3.c:155424
    #19 0x5648851526a7 in sqlite3WhereBegin /home/vancir/testbug/sqlite_bisect/sqlite3.c:163937
    #20 0x5648850df67d in sqlite3Select /home/vancir/testbug/sqlite_bisect/sqlite3.c:146452
    #21 0x56488516be7b in yy_reduce /home/vancir/testbug/sqlite_bisect/sqlite3.c:171315
    #22 0x564885179b99 in sqlite3Parser /home/vancir/testbug/sqlite_bisect/sqlite3.c:172735
    #23 0x56488517f4b8 in sqlite3RunParser /home/vancir/testbug/sqlite_bisect/sqlite3.c:174035
    #24 0x5648850ad1b1 in sqlite3Prepare /home/vancir/testbug/sqlite_bisect/sqlite3.c:138508
    #25 0x5648850ada21 in sqlite3LockAndPrepare /home/vancir/testbug/sqlite_bisect/sqlite3.c:138583
    #26 0x5648850ae10e in sqlite3_prepare_v2 /home/vancir/testbug/sqlite_bisect/sqlite3.c:138669
    #27 0x564884e51a4a in shell_exec /home/vancir/testbug/sqlite_bisect/shell.c:19250
    #28 0x564884e802de in runOneSqlLine /home/vancir/testbug/sqlite_bisect/shell.c:26346
    #29 0x564884e81071 in process_input /home/vancir/testbug/sqlite_bisect/shell.c:26512

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vancir/testbug/sqlite_bisect/sqlite3.c:34117 in sqlite3StrICmp
Shadow bytes around the buggy address:
  0x0c047fff82a0: fa fa fd fa fa fa 00 00 fa fa fd fa fa fa 00 00
  0x0c047fff82b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff82c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff82d0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c047fff82e0: fa fa fd fa fa fa fd fd fa fa 00 00 fa fa 00 fa
=>0x0c047fff82f0: fa fa fd fa fa fa 00 fa fa fa fd fd fa fa 00[fa]
  0x0c047fff8300: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa fa fa
  0x0c047fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1214==ABORTING

My compilation flags:

export LDFLAGS=-ldl
export ASAN_OPTIONS=detect_leaks=0
export CFLAGS="-g -O0 -fsanitize=address -DSQLITE_DEBUG 
                -DSQLITE_ENABLE_TREETRACE 
                -DSQLITE_ENABLE_WHERETRACE
                -DSQLITE_ENABLE_CURSOR_HINTS 
                -DSQLITE_COUNTOFVIEW_OPTIMIZATION 
                -DSQLITE_ENABLE_STAT4"

Any explanations are appreciated!

(2) By Richard Hipp (drh) on 2023-04-14 11:11:05 in reply to 1 [link] [source]

Fixed by check-in 8d9dcd7cfdd53034

(3) By Song Liu (songliu) on 2023-04-17 14:14:45 in reply to 2 [link] [source]

Thanks for your work!