SQLite Forum

Segmentation fault in sqlite3_db_config function

Segmentation fault in sqlite3_db_config function

(1.1) By Song Liu (songliu) on 2023-04-05 23:54:01 edited from 1.0 [source]

I found a segment fault while SQLite (latest, 68a1a837493a0bc5) executes the poc.

The poc is mutated by fuzzing, therefore it contains some special characters and is not good for humans to read.

I uploaded the poc to google drive, here is the link: poc

the MD5 digest of poc: 104c628e8b63ddcfe79b4878737dc7b1

Here are the outputs:

[1]    2390343 segmentation fault  ./sqlite3 < poc

Here is the result of bisecting:

 11 BAD     2023-02-28 19:39:59 0f5579bef27b84ee CURRENT
  9 GOOD    2023-02-28 18:06:52 5916705c731604d2

Here is the ASAN report:

==50544==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x5555559cb0e8 bp 0x7fffffff8950 sp 0x7fffffff87c0 T0)
==50544==The signal is caused by a READ memory access.
==50544==Hint: address points to the zero page.
    #0 0x5555559cb0e7 in sqlite3_db_config /data/song/projects/testbug/sqlite_asan/sqlite3.c:175357
    #1 0x5555556c069f in do_meta_command /data/song/projects/testbug/sqlite_asan/shell.c:24806
    #2 0x5555556cbd21 in process_input /data/song/projects/testbug/sqlite_asan/shell.c:26475
    #3 0x5555556cfbc2 in main /data/song/projects/testbug/sqlite_asan/shell.c:27420
    #4 0x7ffff7165082 in __libc_start_main ../csu/libc-start.c:308
    #5 0x5555556442ed in _start (/data/song/projects/catch-opt-knob/experiments/sqlgo-work/triage/sqlite3-asan+0xf02ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /data/song/projects/testbug/sqlite_asan/sqlite3.c:175357 in sqlite3_db_config

My compilation flags:

    export CFLAGS="-g -O0 -DSQLITE_DEBUG 

Any explanations are appreciated!

(2.1) By Song Liu (songliu) on 2023-04-06 00:35:43 edited from 2.0 in reply to 1.1 [link] [source]

I just figured out the root cause, but it seems the bug has been fixed (1cd993c45cd6b60e)... Anyway, here is a minimum query that triggers the problem: .s 0.

Excellent job, Richard :)