SQLite User Forum

Report bugs against SQLite.
Login

Report bugs against SQLite.

(1) By zgy (740931) on 2023-06-02 12:25:34 [link] [source]

sqlite3 SEGV on unknown address 0x000000000000

When running sqlite3 like the command below:

./sqlite3 -nonce

the program will cause SEGV on unknown address 0x000000000000 error.

shell.c:26109-26111

    }else if( cli_strcmp(z,"-nonce")==0 ){
      free(data.zNonce);
      data.zNonce = strdup(argv[++i]);

Test Environment

Ubuntu 20.04, 64 bit sqlite3 (version: 3.40.1)

How to trigger

  1. Compile the program with AddressSanitizer
  2. Run command $ ./sqlite3 -nonce

Details

ASAN report

$ ./sqlite3 -nonce  
```

==935238==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff7d196e5 bp 0x7fffffffc9d0 sp 0x7fffffffc188 T0) ==935238==The signal is caused by a READ memory access. ==935238==Hint: address points to the zero page. #0 0x7ffff7d196e5 /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65 #1 0x486902 in strdup (/home/ned158/sp/Dataset/Sqlite3/sqlite3_aflpp/install/bin/sqlite3+0x486902) #2 0x4e70db in main /home/ned158/sp/Dataset/Sqlite3/sqlite3_aflpp/shell.c:26111:21 #3 0x7ffff7bb5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 #4 0x41e6bd in _start (/home/ned158/sp/Dataset/Sqlite3/sqlite3_aflpp/install/bin/sqlite3+0x41e6bd)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65 ==935238==ABORTING ```

(2) By Larry Brasfield (larrybr) on 2023-06-02 12:59:46 in reply to 1 [link] [source]

Thanks for reporting this bug. Fixed here.

BTW, posts may take a few minutes or hours to appear when subject to moderation.

(3) By zgy (740931) on 2023-06-03 13:57:43 in reply to 2 [link] [source]

Thanks, I will remember it.

(4) By Richard Hipp (drh) on 2023-07-24 13:13:33 in reply to 1 [source]

Not A Vulnerability

CVE-2023-36191 was written against this bug, 20 days after the bug was fixed. This post is to refute that CVE.

The error is a bug. It has been fixed. But it is not a vulnerability. You may safely ignore the CVE. Key points:

  1. The problem is in the "sqlite3" command-line tool, not in the SQLite library.

  2. Because "sqlite3" is a command-line tool, shell access is required to trigger the bug.

  3. The bug was an error in command-line argument parsing. If the user messes up the command-line that launches the "sqlite3" tool, then during argument processing a NULL-pointer dereference might occur and the "sqlite3" tool will fail to start up. That is completely harmless. The behavior is the same as if the operator had pressed Ctrl-C.

  4. The behavior is the same after the bug fix as it was before - the program issues an error message and stops. The "fix" just makes the error message a little nicer. Instead of printing "Segmentation Fault", it prints "Error: missing argument to --nonce" and then calls exit(1).