Segmentation fault in sqlite3_db_config function
(1.1) By Song Liu (songliu) on 2023-04-05 23:54:01 edited from 1.0 [source]
I found a segment fault while SQLite (latest, 68a1a837493a0bc5) executes the poc.
The poc is mutated by fuzzing, therefore it contains some special characters and is not good for humans to read.
I uploaded the poc to google drive, here is the link: poc
the MD5 digest of poc:
Here are the outputs:
 2390343 segmentation fault ./sqlite3 < poc
Here is the result of bisecting:
11 BAD 2023-02-28 19:39:59 0f5579bef27b84ee CURRENT 9 GOOD 2023-02-28 18:06:52 5916705c731604d2
Here is the ASAN report:
AddressSanitizer:DEADLYSIGNAL ================================================================= ==50544==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x5555559cb0e8 bp 0x7fffffff8950 sp 0x7fffffff87c0 T0) ==50544==The signal is caused by a READ memory access. ==50544==Hint: address points to the zero page. #0 0x5555559cb0e7 in sqlite3_db_config /data/song/projects/testbug/sqlite_asan/sqlite3.c:175357 #1 0x5555556c069f in do_meta_command /data/song/projects/testbug/sqlite_asan/shell.c:24806 #2 0x5555556cbd21 in process_input /data/song/projects/testbug/sqlite_asan/shell.c:26475 #3 0x5555556cfbc2 in main /data/song/projects/testbug/sqlite_asan/shell.c:27420 #4 0x7ffff7165082 in __libc_start_main ../csu/libc-start.c:308 #5 0x5555556442ed in _start (/data/song/projects/catch-opt-knob/experiments/sqlgo-work/triage/sqlite3-asan+0xf02ed) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /data/song/projects/testbug/sqlite_asan/sqlite3.c:175357 in sqlite3_db_config
My compilation flags:
export CFLAGS="-g -O0 -DSQLITE_DEBUG -DSQLITE_ENABLE_TREETRACE -DSQLITE_ENABLE_WHERETRACE -DSQLITE_ENABLE_CURSOR_HINTS -DSQLITE_COUNTOFVIEW_OPTIMIZATION -DSQLITE_ENABLE_STAT4"
Any explanations are appreciated!
(2.1) By Song Liu (songliu) on 2023-04-06 00:35:43 edited from 2.0 in reply to 1.1 [link] [source]
I just figured out the root cause, but it seems the bug has been fixed (1cd993c45cd6b60e)... Anyway, here is a minimum query that triggers the problem:
Excellent job, Richard :)