SQLite Forum

How do i submit a bug report

How do i submit a bug report

(1) By anonymous on 2021-10-20 01:31:41 [link]

Hello. I am a cyber security student. I have found multiple memory corruption vulnerabilities within the lemon LALR parser resulting in controlling multiple registers. I believe that a return to libc exploit is likely to be possible and i would like info on how to properly report this and go through responsible disclosure. 

I have done a lot of crash analysis in gdb and I have screenshots and further documentation that the vulnerability does indeed exist.

Thanks, Cyber Security Researcher.

(2) By Stephan Beal (stephan) on 2021-10-20 02:00:17 in reply to 1 [link]

> How do i submit a bug report

Such reports should be sent directly to the project lead, Richard Hipp:


(3) By ddevienne on 2021-10-20 06:52:23 in reply to 2

Well, Lemon is not critical, in the sense that it is run only at build-time,  
not runtime, and thus any vulnerability you may find is not essential to SQLite.

That's different about the C code Lemon generates, which **IS** used in SQLite.  
So given how busy DRH is, you may find your reports not quickly acted on I suspect, if at all.

Also note that Lemon's purpose is to serve SQLite primarily.  
Richard has made Lemon fixes reported/provided on the list several times,  
even though those fixes didn't affect SQLite's own use-case with Lemon.  
Still, *support* on Lemon cannot be considered in the same category as SQLite's.

My $0.02, from a non-team member.

(5) By anonymous on 2021-10-20 23:13:18 in reply to 3 [link]

Thank you very much for the info. I do not know a whole lot regarding how sqlite uses lemon and i have also contacted the creators of lemon. I just thought i would point it out (regardless of the criticality of the vulnerability because i came across it and felt obligated. Could you please go into more detail on how sqlite uses lemon to generate C code? 

Thanks, Cyber Security Researcher

(6) By Larry Brasfield (larrybr) on 2021-10-21 00:17:52 in reply to 5 [link]


The "lemon" program converts a structured description of a grammar which has actions associated with specified grammar constructs into a C function which is able to parse an instance of the grammar and perform the actions corresponding to various constructs in that instance.

The C function so generated from SQLite's SQL grammar is used in SQLite to process SQL passed into the prepare_statement() APIs.

Of course, the grammar description which Lemon is called upon to convert into a parser when SQLite is built does not contain anything like what you or other "Security Researchers" devise to expose so-called vulnerabilities in the lemon parser generator.

If you really want to learn about lemon, you can peruse <u>[The Lemon Parser Generator](https://www.sqlite.org/lemon.html)</u> to your heart's content. This document can be found under "Lemon" in the [website keyword index](https://www.sqlite.org/keyword_index.html). I urge you to consult that index first when you have questions regarding SQLite. Much effort has gone into keeping the online docs current and accurate, so it should be your first source of answers. (And if something you cannot find there ought to be there, that is a fact worth bringing to the dev team's attention.)

(4) By Richard Hipp (drh) on 2021-10-20 11:26:13 in reply to 1 [link]

Lemon is a command-line tool.  Nobody runs Lemon who does not already have 
full shell access on the target machine.  So memory safety issues in Lemon
don't really matter that much.

Lemon generates code that is used by SQLite.  But Lemon is not itself
part of SQLite.  If you find faults in the code that Lemon generates, that
is an issue.  But faults in Lemon itself are scarcely a concern.