Heap buffer overflow in shell_error_context function
(1.1) By Song Liu (songliu) on 2023-04-05 23:01:20 edited from 1.0 [source]
I found a heap buffer overflow while SQLite (latest, 68a1a837493a0bc5) executes the poc.
The poc is mutated by fuzzing, therefore it contains some special characters and is not good for humans to read.
I uploaded the poc to google drive, here is the link: poc
the MD5 digest of poc: 1e9158e42f66103f42dd6df738f96327
Here is the result of bisecting:
3 BAD 2021-12-29 04:13:37 416602a85101c2cd
15 GOOD 2021-12-29 04:10:49 155c3e9c7ccd6fd6 CURRENT
Here is the ASAN report:
==335748==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000011bf at pc 0x555555693a75 bp 0x7fffffffb8b0 sp 0x7fffffffb8a0
READ of size 1 at 0x6110000011bf thread T0
#0 0x555555693a74 in shell_error_context /data/song/projects/testbug/sqlite_asan/shell.c:17943
#1 0x555555694461 in save_err_msg /data/song/projects/testbug/sqlite_asan/shell.c:18027
#2 0x55555569ca7e in shell_exec /data/song/projects/testbug/sqlite_asan/shell.c:19249
#3 0x5555556cb2be in runOneSqlLine /data/song/projects/testbug/sqlite_asan/shell.c:26341
#4 0x5555556cc051 in process_input /data/song/projects/testbug/sqlite_asan/shell.c:26507
#5 0x5555556cfbc2 in main /data/song/projects/testbug/sqlite_asan/shell.c:27420
#6 0x7ffff7165082 in __libc_start_main ../csu/libc-start.c:308
#7 0x5555556442ed in _start (/data/song/projects/catch-opt-knob/experiments/sqlgo-work/triage/sqlite3-asan+0xf02ed)
0x6110000011bf is located 1 bytes to the left of 213-byte region [0x6110000011c0,0x611000001295)
allocated by thread T0 here:
#0 0x7ffff767fc3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
#1 0x5555556cbd9c in process_input /data/song/projects/testbug/sqlite_asan/shell.c:26490
#2 0x5555556cfbc2 in main /data/song/projects/testbug/sqlite_asan/shell.c:27420
#3 0x7ffff7165082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow /data/song/projects/testbug/sqlite_asan/shell.c:17943 in shell_error_context
Shadow bytes around the buggy address:
0x0c227fff81e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c227fff81f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff8200: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
0x0c227fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
=>0x0c227fff8230: fa fa fa fa fa fa fa[fa]00 00 00 00 00 00 00 00
0x0c227fff8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8250: 00 00 05 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==335748==ABORTING
My compilation flags:
export LDFLAGS=-ldl
export ASAN_OPTIONS=detect_leaks=0
export CFLAGS="-g -O0 -fsanitize=address -DSQLITE_DEBUG
-DSQLITE_ENABLE_TREETRACE
-DSQLITE_ENABLE_WHERETRACE
-DSQLITE_ENABLE_CURSOR_HINTS
-DSQLITE_COUNTOFVIEW_OPTIMIZATION
-DSQLITE_ENABLE_STAT4"
Any explanations are appreciated!