SQLite User Forum

Heap buffer overflow in zipfileColumn function
Login

Heap buffer overflow in zipfileColumn function

(1.1) By Song Liu (songliu) on 2023-04-05 23:06:55 edited from 1.0 [source]

I found a heap buffer overflow while SQLite (latest, 68a1a837493a0bc5) executes the poc.

The poc creates a virtual table using the zip file c1, while c1 is a malformed archive.

Following are the contents of poc.

CREATE VIRTUAL TABLE v0 USING zipfile(c1);
SELECT * FROM v0;

I uploaded the poc and zip archive c1 to google drive, here is the link: poc and c1

the MD5 digest of poc: 5b0cc3759408063413e4d52ecd33c0b9

the MD5 digest of zip archive c1: b16e1f46de5fed1947dbf80e06a07fe7

NOTE: Please place c1 under the same folder of poc to reproduce the crash.

➜  ls
c1  poc  sqlite3-asan
➜  md5sum poc c1            
5b0cc3759408063413e4d52ecd33c0b9  poc
b16e1f46de5fed1947dbf80e06a07fe7  c1
➜  ./sqlite3-asan --version 
3.42.0 2023-04-05 02:55:08 68a1a837493a0bc5e0e0f2373ac76cb575078cec08990c017fdcb51a4ba363a1
➜  ./sqlite3-asan < poc     

Here is the result of bisecting:

 15 BAD     2018-01-15 15:49:46 cf64087224aff1a2 CURRENT
  8 GOOD    2018-01-15 14:32:37 8151913a3987f4dd

Here is the ASAN report:

=================================================================
==3461840==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000a0f at pc 0x555555664cbe bp 0x7fffffffa8b0 sp 0x7fffffffa8a0
READ of size 1 at 0x602000000a0f thread T0
    #0 0x555555664cbd in zipfileColumn /data/song/projects/testbug/sqlite_asan/shell.c:8778
    #1 0x55555581c816 in sqlite3VdbeExec /data/song/projects/testbug/sqlite_asan/sqlite3.c:98612
    #2 0x5555557db538 in sqlite3Step /data/song/projects/testbug/sqlite_asan/sqlite3.c:88693
    #3 0x5555557dbeaf in sqlite3_step /data/song/projects/testbug/sqlite_asan/sqlite3.c:88754
    #4 0x55555569bca9 in exec_prepared_stmt /data/song/projects/testbug/sqlite_asan/shell.c:19063
    #5 0x55555569d799 in shell_exec /data/song/projects/testbug/sqlite_asan/shell.c:19337
    #6 0x5555556cb2be in runOneSqlLine /data/song/projects/testbug/sqlite_asan/shell.c:26341
    #7 0x5555556cc051 in process_input /data/song/projects/testbug/sqlite_asan/shell.c:26507
    #8 0x5555556cfbc2 in main /data/song/projects/testbug/sqlite_asan/shell.c:27420
    #9 0x7ffff7165082 in __libc_start_main ../csu/libc-start.c:308
    #10 0x5555556442ed in _start (/data/song/projects/catch-opt-knob/NEW-BUGS/heap-buffer-overflow-zipfileColumn/sqlite3-asan+0xf02ed)

0x602000000a0f is located 1 bytes to the left of 8-byte region [0x602000000a10,0x602000000a18)
allocated by thread T0 here:
    #0 0x7ffff767f808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x5555556dc256 in sqlite3MemMalloc /data/song/projects/testbug/sqlite_asan/sqlite3.c:25661
    #2 0x5555556de642 in mallocWithAlarm /data/song/projects/testbug/sqlite_asan/sqlite3.c:29363
    #3 0x5555556de7a9 in sqlite3Malloc /data/song/projects/testbug/sqlite_asan/sqlite3.c:29409
    #4 0x5555556dfa8b in sqlite3DbMallocRaw /data/song/projects/testbug/sqlite_asan/sqlite3.c:29746
    #5 0x5555556e89c3 in strAccumFinishRealloc /data/song/projects/testbug/sqlite_asan/sqlite3.c:31155
    #6 0x5555556e8c47 in sqlite3StrAccumFinish /data/song/projects/testbug/sqlite_asan/sqlite3.c:31169
    #7 0x5555556e99e4 in sqlite3_vmprintf /data/song/projects/testbug/sqlite_asan/sqlite3.c:31333
    #8 0x5555556e9bd0 in sqlite3_mprintf /data/song/projects/testbug/sqlite_asan/sqlite3.c:31348
    #9 0x555555663188 in zipfileGetEntry /data/song/projects/testbug/sqlite_asan/shell.c:8531
    #10 0x555555663af6 in zipfileNext /data/song/projects/testbug/sqlite_asan/shell.c:8591
    #11 0x55555581ccc7 in sqlite3VdbeExec /data/song/projects/testbug/sqlite_asan/sqlite3.c:98656
    #12 0x5555557db538 in sqlite3Step /data/song/projects/testbug/sqlite_asan/sqlite3.c:88693
    #13 0x5555557dbeaf in sqlite3_step /data/song/projects/testbug/sqlite_asan/sqlite3.c:88754
    #14 0x55555569bca9 in exec_prepared_stmt /data/song/projects/testbug/sqlite_asan/shell.c:19063
    #15 0x55555569d799 in shell_exec /data/song/projects/testbug/sqlite_asan/shell.c:19337
    #16 0x5555556cb2be in runOneSqlLine /data/song/projects/testbug/sqlite_asan/shell.c:26341
    #17 0x5555556cc051 in process_input /data/song/projects/testbug/sqlite_asan/shell.c:26507
    #18 0x5555556cfbc2 in main /data/song/projects/testbug/sqlite_asan/shell.c:27420
    #19 0x7ffff7165082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /data/song/projects/testbug/sqlite_asan/shell.c:8778 in zipfileColumn
Shadow bytes around the buggy address:
  0x0c047fff80f0: fa fa fd fa fa fa 00 fa fa fa fd fa fa fa fd fa
  0x0c047fff8100: fa fa 00 fa fa fa 00 fa fa fa fd fd fa fa 00 fa
  0x0c047fff8110: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa fd fd
  0x0c047fff8120: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8130: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa fd fa
=>0x0c047fff8140: fa[fa]00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3461840==ABORTING

My compilation flags:

export LDFLAGS=-ldl
export ASAN_OPTIONS=detect_leaks=0
export CFLAGS="-g -O0 -fsanitize=address -DSQLITE_DEBUG 
                -DSQLITE_ENABLE_TREETRACE 
                -DSQLITE_ENABLE_WHERETRACE
                -DSQLITE_ENABLE_CURSOR_HINTS 
                -DSQLITE_COUNTOFVIEW_OPTIMIZATION 
                -DSQLITE_ENABLE_STAT4" 

Any explanations are appreciated!