crash while executing the specail sqls
(1) By anonymous on 2022-07-11 12:21:45 [source]
example: ``` ./sqlite3 < ./sql sql_length 40
ASAN:DEADLYSIGNAL
==83336==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x55d2af169509 bp 0x60e000000048 sp 0x7fffc309a880 T0) ==83336==The signal is caused by a READ memory access. ==83336==Hint: address points to the zero page. #0 0x55d2af169508 in sqlite3BtreeUpdateMeta /home/w00314665/sqlite/3.39/sqlite-amalgamation-3390000/sqlite3.c:76858 #1 0x55d2af1de901 in sqlite3VdbeExec /home/w00314665/sqlite/3.39/sqlite-amalgamation-3390000/sqlite3.c:92255 #2 0x55d2af1f7fb4 in sqlite3Step /home/sky/sqlite/3.39/sqlite-amalgamation-3390000/sqlite3.c:86667 #3 0x55d2af1f7fb4 in sqlite3_step /home/sky/sqlite/3.39/sqlite-amalgamation-3390000/sqlite3.c:86728 #4 0x55d2af06451a in exec_prepared_stmt /home/sky/sqlite/3.39/sqlite-amalgamation-3390000/shell.c:14691 #5 0x55d2af06d67d in shell_exec /home/sky/sqlite/3.39/sqlite-amalgamation-3390000/shell.c:15007 #6 0x55d2af070624 in runOneSqlLine /home/sky/sqlite/3.39/sqlite-amalgamation-3390000/shell.c:22613 #7 0x55d2af0837ed in process_input /home/sky/sqlite/3.39/sqlite-amalgamation-3390000/shell.c:22796 #8 0x55d2af0861f9 in main /home/sky/sqlite/3.39/sqlite-amalgamation-3390000/shell.c:23631 #9 0x7f2734f32c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #10 0x55d2af0419c9 in _start (/home/sky/sqlite/3.39/sqlite-amalgamation-3390000/sqlite3+0x459c9)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/sky/sqlite/3.39/sqlite-amalgamation-3390000/sqlite3.c:76858 in sqlite3BtreeUpdateMeta ==83336==ABORTING
sql content is: create table'x0se0me0ts'(b); ."limit"s 40 ALTER TABLE x0se0me0ts RENAME to y ```
(2) By Tim Streater (Clothears) on 2022-07-11 13:06:40 in reply to 1 [link] [source]
Segfaults with 3.39.0 under macOS. I did it by hand, thus:
sqlite3> create table'x0se0me0ts'(b);
sqlite3> ."limit"s 40
sql_length 40
sqlite3> ALTER TABLE x0se0me0ts RENAME to y;
zsh: segmentation fault sqlite3
(3) By Richard Hipp (drh) on 2022-07-11 14:55:25 in reply to 1 [link] [source]
This problem only arises if the sqlite3_limit() interface is used to restrict the maximum SQL statement length to a very short string (40 bytes in the example) and then the ALTER TABLE RENAME command is run. Thus, it is not a pure SQL attack. It depends on getting the database connection into a state where it will reject any SQL statement longer than about 40 bytes. The ".limit" command in the CLI will do that. But most other applications do not expose that capability.
A simplified test case:
CREATE TABLE xyzzy(b); .limit sql_length 40 ALTER TABLE xyzzy RENAME TO y;
The problem has been fixed on trunk and on the 3.39 branch.
This is not a new problem. It has been in the code ever since version 3.25.0 which was the first SQLite version to support ALTER TABLE RENAME.