SQLite Forum

[bug] A stack buffer overflow vulnerability was discovered in SQLite 3.36.0
Login

[bug] A stack buffer overflow vulnerability was discovered in SQLite 3.36.0

(1.1) By salmonx on 2021-06-15 11:38:06 edited from 1.0 [source]

A stack buffer overflow vulnerability was discovered in SQLite 3.36.0.

toor@ubuntu:~/work/fuzz/sqlite$ cat crash1 
create table t1(one int);
insert into t1 values(load_extension(hex(hex(randomblob( hex(hex(hex(1))))))));
select  date( randomblob(one)) from t1;
toor@ubuntu:~/work/fuzz/sqlite$ ./sqlite3 < crash1
Segmentation fault (core dumped)  // tmp/core-61197-1623378831 

GDB Backtrace

toor@ubuntu:~/work/fuzz/sqlite$ gdb ./sqlite3 

Reading symbols from ./sqlite3...done.
(gdb) core-file /tmp/core-61197-1623378831 
[New LWP 61197]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./sqlite3'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  open_path (
    name=name@entry=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., namelen=namelen@entry=133333325, mode=mode@entry=-1879047934, 
    sps=sps@entry=0x7f4dbdc16920 <rtld_search_dirs>, realname=realname@entry=0x7fff2ebf0790, 
    fbp=fbp@entry=0x7fff2ebf07a0, loader=0x7f4dbdc18170, whatcode=64, found_other_class=0x7fff2ebf078f)
    at dl-load.c:2034
2034	dl-load.c: No such file or directory.
(gdb) 
(gdb) bt
#0  open_path (
    name=name@entry=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., namelen=namelen@entry=133333325, mode=mode@entry=-1879047934, 
    sps=sps@entry=0x7f4dbdc16920 <rtld_search_dirs>, realname=realname@entry=0x7fff2ebf0790, 
    fbp=fbp@entry=0x7fff2ebf07a0, loader=0x7f4dbdc18170, whatcode=64, found_other_class=0x7fff2ebf078f)
    at dl-load.c:2034
#1  0x00007f4dbd9f660f in _dl_map_object (loader=loader@entry=0x7f4dbdc18170, 
    name=name@entry=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., type=type@entry=2, trace_mode=trace_mode@entry=0, mode=mode@entry=-1879047934, nsid=<optimized out>)
    at dl-load.c:2381
#2  0x00007f4dbda02084 in dl_open_worker (a=a@entry=0x7fff2ebf0d10) at dl-open.c:235
#3  0x00007f4dbcd851ef in __GI__dl_catch_exception (exception=exception@entry=0x7fff2ebf0cf0, 
    operate=operate@entry=0x7f4dbda01f60 <dl_open_worker>, args=args@entry=0x7fff2ebf0d10)
    at dl-error-skeleton.c:196
#4  0x00007f4dbda0196a in _dl_open (
    file=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., mode=-2147483390, caller_dlopen=0x5593264fe1f4 <sqlite3_load_extension+628>, nsid=<optimized out>, argc=1, 
    argv=<optimized out>, env=0x7fff2ebf29c8) at dl-open.c:605
#5  0x00007f4dbd22ef96 in dlopen_doit (a=a@entry=0x7fff2ebf0f40) at dlopen.c:66
#6  0x00007f4dbcd851ef in __GI__dl_catch_exception (exception=exception@entry=0x7fff2ebf0ee0, 
    operate=operate@entry=0x7f4dbd22ef40 <dlopen_doit>, args=args@entry=0x7fff2ebf0f40) at dl-error-skeleton.c:196
#7  0x00007f4dbcd8527f in __GI__dl_catch_error (objname=objname@entry=0x55932787a8b0, 
    errstring=errstring@entry=0x55932787a8b8, mallocedp=mallocedp@entry=0x55932787a8a8, 
    operate=operate@entry=0x7f4dbd22ef40 <dlopen_doit>, args=args@entry=0x7fff2ebf0f40) at dl-error-skeleton.c:215
#8  0x00007f4dbd22f745 in _dlerror_run (operate=operate@entry=0x7f4dbd22ef40 <dlopen_doit>, 
    args=args@entry=0x7fff2ebf0f40) at dlerror.c:162
#9  0x00007f4dbd22f051 in __dlopen (file=<optimized out>, mode=<optimized out>) at dlopen.c:87
#10 0x00005593264fe1f4 in sqlite3OsDlOpen (
    zPath=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., pVfs=0x559326a4e3c0 <aVfs.18009>) at sqlite3.c:23652
#11 sqlite3LoadExtension (pzErrMsg=0x7fff2ebf0ff0, zProc=0x0, 
    zFile=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., db=0x559327866c88) at sqlite3.c:61882
#12 sqlite3_load_extension (db=db@entry=0x559327866c88, 
    zFile=zFile@entry=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433---Type <return> t---Type <return> to continue, or q <return> to quit---
533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., 
    zProc=0x0, pzErrMsg=pzErrMsg@entry=0x7fff2ebf0ff0) at sqlite3.c:61984
#13 0x000055932650013a in loadExt (context=0x559327876748, argc=1, argv=0x559327876778) at sqlite3.c:120743
#14 0x000055932661fd2d in sqlite3VdbeExec (p=p@entry=0x5593278742e8) at sqlite3.c:94427
#15 0x0000559326646b81 in sqlite3Step (p=0x5593278742e8) at sqlite3.c:84821
#16 sqlite3_step (pStmt=<optimized out>) at sqlite3.c:19342
#17 0x000055932627161d in exec_prepared_stmt (pStmt=0x5593278742e8, pArg=0x7fff2ebf16a0) at shell.c:14156
#18 shell_exec (pArg=0x7fff2ebf16a0, zSql=<optimized out>, pzErrMsg=0x7fff2ebf14a8) at shell.c:14465
#19 0x0000559326278b48 in runOneSqlLine (p=0x7fff2ebf16a0, 
    zSql=0x559327866bf0 "insert into t1 values(load_extension(hex(hex(randomblob( hex(hex(hex(1))))))));", 
    in=0x7f4dbd009a00 <_IO_2_1_stdin_>, startline=2) at shell.c:21411
#20 0x00005593262a75a7 in process_input (p=0x7fff2ebf16a0) at shell.c:21511
#21 0x00005593261d4b2e in main (argc=<optimized out>, argv=<optimized out>) at shell.c:22320

AddressSanitizer: stack-overflow

toor@ubuntu:~/work/fuzz/poc/sqlite-snapshot-202106031851$ ./sqlite3 
SQLite version 3.36.0 2021-06-03 18:51:51
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> insert into t1 values(load_extension(hex(hex(randomblob( hex(hex(hex(1))))))));
Error: no such table: t1
sqlite> create table t1(one int);
insert into t1 values(load_extension(hex(hex(randomblob( hex(hex(hex(1))))))));sqlite> 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==56360==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdd1242fb8 (pc 0x7f8104b932f6 bp 0x7ffdd916b290 sp 0x7ffdd1242fc0 T0)
    #0 0x7f8104b932f5  (/lib64/ld-linux-x86-64.so.2+0x62f5)
    #1 0x7f8104b9660e  (/lib64/ld-linux-x86-64.so.2+0x960e)
    #2 0x7f8104ba2083  (/lib64/ld-linux-x86-64.so.2+0x15083)
    #3 0x7f8103b051ee in _dl_catch_exception /build/glibc-S9d2JN/glibc-2.27/elf/dl-error-skeleton.c:196
    #4 0x7f8104ba1969  (/lib64/ld-linux-x86-64.so.2+0x14969)
    #5 0x7f81043cef95 in dlopen_doit /build/glibc-S9d2JN/glibc-2.27/dlfcn/dlopen.c:66
    #6 0x7f8103b051ee in _dl_catch_exception /build/glibc-S9d2JN/glibc-2.27/elf/dl-error-skeleton.c:196
    #7 0x7f8103b0527e in _dl_catch_error /build/glibc-S9d2JN/glibc-2.27/elf/dl-error-skeleton.c:215
    #8 0x7f81043cf744 in _dlerror_run /build/glibc-S9d2JN/glibc-2.27/dlfcn/dlerror.c:162
    #9 0x7f81043cf050 in dlopen /build/glibc-S9d2JN/glibc-2.27/dlfcn/dlopen.c:87
    #10 0x46c0b1 in dlopen /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:6033:15
    #11 0x5b2b41 in sqlite3OsDlOpen /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:23652:10
    #12 0x5b2b41 in sqlite3LoadExtension /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:127418:12
    #13 0x5b2b41 in sqlite3_load_extension /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:127520:8
    #14 0x9a157b in loadExt /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:120743:16
    #15 0x66f9b9 in sqlite3VdbeExec /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:94427:3
    #16 0x5763c4 in sqlite3Step /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:84821:10
    #17 0x5763c4 in sqlite3_step /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:84878:16
    #18 0x5545b4 in exec_prepared_stmt /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/shell.c:14156:8
    #19 0x5087dc in shell_exec /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/shell.c:14465:7
    #20 0x559732 in runOneSqlLine /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/shell.c:21411:8
    #21 0x50dc6c in process_input /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/shell.c:21511:17
    #22 0x4e082e in main /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/shell.c:22312:12
    #23 0x7f81039bfbf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #24 0x41c049 in _start (/home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3+0x41c049)

SUMMARY: AddressSanitizer: stack-overflow (/lib64/ld-linux-x86-64.so.2+0x62f5) 
==56360==ABORTING

(2) By Richard Hipp (drh) on 2021-06-11 12:49:04 in reply to 1.0 [link] [source]

This appears to be a bug (or at least an undocumented limitation) in the dlopen() routine of the standard C library, not a bug in SQLite. The problem arises when dlopen() is invoked with a filename that is very long.

Check-in 01f3877c7172d522 works around this problem by simply not calling dlopen() if the filename exceeds FILENAME_MAX characters.

Note also that the load_extension() SQL function is disabled by default. So most applications are unable to trigger this bug in dlopen() even if it exists. The CLI is a rare exception to this rule in that it does take the extra steps needed to activate the load_extension() SQL function.

Because load_extension() is disabled by default, it seems dubious to call this problem "critical".

(3) By anonymous on 2021-06-11 15:41:01 in reply to 2 [link] [source]

Thanks for your timely response. Your code fixes make SQLite more secure.