Heap buffer overflow in zipfileColumn function
(1.1) By Song Liu (songliu) on 2023-04-05 23:06:55 edited from 1.0 [source]
I found a heap buffer overflow while SQLite (latest, 68a1a837493a0bc5) executes the poc.
The poc creates a virtual table using the zip file c1, while c1 is a malformed archive.
Following are the contents of poc.
CREATE VIRTUAL TABLE v0 USING zipfile(c1);
SELECT * FROM v0;
I uploaded the poc and zip archive c1 to google drive, here is the link: poc and c1
the MD5 digest of poc: 5b0cc3759408063413e4d52ecd33c0b9
the MD5 digest of zip archive c1: b16e1f46de5fed1947dbf80e06a07fe7
NOTE: Please place c1 under the same folder of poc to reproduce the crash.
➜ ls
c1 poc sqlite3-asan
➜ md5sum poc c1
5b0cc3759408063413e4d52ecd33c0b9 poc
b16e1f46de5fed1947dbf80e06a07fe7 c1
➜ ./sqlite3-asan --version
3.42.0 2023-04-05 02:55:08 68a1a837493a0bc5e0e0f2373ac76cb575078cec08990c017fdcb51a4ba363a1
➜ ./sqlite3-asan < poc
Here is the result of bisecting:
15 BAD 2018-01-15 15:49:46 cf64087224aff1a2 CURRENT
8 GOOD 2018-01-15 14:32:37 8151913a3987f4dd
Here is the ASAN report:
=================================================================
==3461840==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000a0f at pc 0x555555664cbe bp 0x7fffffffa8b0 sp 0x7fffffffa8a0
READ of size 1 at 0x602000000a0f thread T0
#0 0x555555664cbd in zipfileColumn /data/song/projects/testbug/sqlite_asan/shell.c:8778
#1 0x55555581c816 in sqlite3VdbeExec /data/song/projects/testbug/sqlite_asan/sqlite3.c:98612
#2 0x5555557db538 in sqlite3Step /data/song/projects/testbug/sqlite_asan/sqlite3.c:88693
#3 0x5555557dbeaf in sqlite3_step /data/song/projects/testbug/sqlite_asan/sqlite3.c:88754
#4 0x55555569bca9 in exec_prepared_stmt /data/song/projects/testbug/sqlite_asan/shell.c:19063
#5 0x55555569d799 in shell_exec /data/song/projects/testbug/sqlite_asan/shell.c:19337
#6 0x5555556cb2be in runOneSqlLine /data/song/projects/testbug/sqlite_asan/shell.c:26341
#7 0x5555556cc051 in process_input /data/song/projects/testbug/sqlite_asan/shell.c:26507
#8 0x5555556cfbc2 in main /data/song/projects/testbug/sqlite_asan/shell.c:27420
#9 0x7ffff7165082 in __libc_start_main ../csu/libc-start.c:308
#10 0x5555556442ed in _start (/data/song/projects/catch-opt-knob/NEW-BUGS/heap-buffer-overflow-zipfileColumn/sqlite3-asan+0xf02ed)
0x602000000a0f is located 1 bytes to the left of 8-byte region [0x602000000a10,0x602000000a18)
allocated by thread T0 here:
#0 0x7ffff767f808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x5555556dc256 in sqlite3MemMalloc /data/song/projects/testbug/sqlite_asan/sqlite3.c:25661
#2 0x5555556de642 in mallocWithAlarm /data/song/projects/testbug/sqlite_asan/sqlite3.c:29363
#3 0x5555556de7a9 in sqlite3Malloc /data/song/projects/testbug/sqlite_asan/sqlite3.c:29409
#4 0x5555556dfa8b in sqlite3DbMallocRaw /data/song/projects/testbug/sqlite_asan/sqlite3.c:29746
#5 0x5555556e89c3 in strAccumFinishRealloc /data/song/projects/testbug/sqlite_asan/sqlite3.c:31155
#6 0x5555556e8c47 in sqlite3StrAccumFinish /data/song/projects/testbug/sqlite_asan/sqlite3.c:31169
#7 0x5555556e99e4 in sqlite3_vmprintf /data/song/projects/testbug/sqlite_asan/sqlite3.c:31333
#8 0x5555556e9bd0 in sqlite3_mprintf /data/song/projects/testbug/sqlite_asan/sqlite3.c:31348
#9 0x555555663188 in zipfileGetEntry /data/song/projects/testbug/sqlite_asan/shell.c:8531
#10 0x555555663af6 in zipfileNext /data/song/projects/testbug/sqlite_asan/shell.c:8591
#11 0x55555581ccc7 in sqlite3VdbeExec /data/song/projects/testbug/sqlite_asan/sqlite3.c:98656
#12 0x5555557db538 in sqlite3Step /data/song/projects/testbug/sqlite_asan/sqlite3.c:88693
#13 0x5555557dbeaf in sqlite3_step /data/song/projects/testbug/sqlite_asan/sqlite3.c:88754
#14 0x55555569bca9 in exec_prepared_stmt /data/song/projects/testbug/sqlite_asan/shell.c:19063
#15 0x55555569d799 in shell_exec /data/song/projects/testbug/sqlite_asan/shell.c:19337
#16 0x5555556cb2be in runOneSqlLine /data/song/projects/testbug/sqlite_asan/shell.c:26341
#17 0x5555556cc051 in process_input /data/song/projects/testbug/sqlite_asan/shell.c:26507
#18 0x5555556cfbc2 in main /data/song/projects/testbug/sqlite_asan/shell.c:27420
#19 0x7ffff7165082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow /data/song/projects/testbug/sqlite_asan/shell.c:8778 in zipfileColumn
Shadow bytes around the buggy address:
0x0c047fff80f0: fa fa fd fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff8100: fa fa 00 fa fa fa 00 fa fa fa fd fd fa fa 00 fa
0x0c047fff8110: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa fd fd
0x0c047fff8120: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff8130: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa fd fa
=>0x0c047fff8140: fa[fa]00 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3461840==ABORTING
My compilation flags:
export LDFLAGS=-ldl
export ASAN_OPTIONS=detect_leaks=0
export CFLAGS="-g -O0 -fsanitize=address -DSQLITE_DEBUG
-DSQLITE_ENABLE_TREETRACE
-DSQLITE_ENABLE_WHERETRACE
-DSQLITE_ENABLE_CURSOR_HINTS
-DSQLITE_COUNTOFVIEW_OPTIMIZATION
-DSQLITE_ENABLE_STAT4"
Any explanations are appreciated!