SQLite Forum

4 automatically generated tests that trigger UBSAN interger related errors
Login

4 automatically generated tests that trigger UBSAN interger related errors

(1) By Jingxuan He (LostBenjamin) on 2021-06-30 18:23:16 [source]

Hi everyone,

We tested sqlite with an automatic tool (based on the fuzzer AFL). Some test cases triggering UBSan integer related errors were generated. We manually checked those test cases and filtered out benign cases. Finally, we identified and report 4 cases that could trigger bugs. Below is the information for reproducing the bugs.

  • sqlite version: sqlite-amalgamation-3330000
  • operating system: Ubuntu 16.04.7
  • compiler: clang version 6.0.0-1ubuntu2~16.04.1 (tags/RELEASE_600/final)
  • compilation commands:
    clang -g -O1 -Xclang -disable-llvm-passes -D__NO_STRING_INLINES -D_FORTIFY_SOURCE=0 -U__OPTIMIZE__ -fsanitize=signed-integer-overflow -fsanitize=unsigned-integer-overflow -fsanitize=shift -fsanitize=bounds -fsanitize=pointer-overflow -fsanitize=null -DSQLITE_THREADSAFE=0 -DSQLITE_OMIT_LOAD_EXTENSION -DSQLITE_DEFAULT_MEMSTATUS=0 -DSQLITE_MAX_EXPR_DEPTH=0 -DSQLITE_OMIT_DECLTYPE -DSQLITE_OMIT_DEPRECATED -DSQLITE_DEFAULT_PAGE_SIZE=512 -DSQLITE_DEFAULT_CACHE_SIZE=10 -DSQLITE_DISABLE_INTRINSIC -DSQLITE_DISABLE_LFS -DYYSTACKDEPTH=20 -DSQLITE_OMIT_LOOKASIDE -DSQLITE_OMIT_WAL -DSQLITE_OMIT_PROGRESS_CALLBACK -DSQLITE_DEFAULT_LOOKASIDE='64,5' -DSQLITE_OMIT_PROGRESS_CALLBACK -DSQLITE_OMIT_SHARED_CACHE -I. shell.c sqlite3.c -o sqlite3
    
  • inputs: the bug triggering inputs can be found in this link. Each input has the name sqlite[].stdin where [] is the index from 1 to 4.

To reproduce the bugs, you need to run command cat sqlite[].stdin | sqlite3. For sqlite3.stdin, you need to create a blank file named 7 under the same directory before running the command.

After successfully reproducing the bugs, you are expected to see the following error messages that are relevant to the bugs:

  • For sqlite1.stdin:
    shell.c:787:13: runtime error: left shift of 922337203685477580 by 4 places cannot be represented in type 'sqlite3_int64' (aka 'long long')
    
  • For sqlite2.stdin:
    shell.c:792:12: runtime error: signed integer overflow: 8888888888888888888 * 10 cannot be represented in type 'long long'
    
  • For sqlite3.stdin:
    sqlite3.c:31888:10: runtime error: unsigned integer overflow: 7777777777777777777 * 10 cannot be represented in type 'unsigned long long'
    
  • For sqlite4.stdin:
    sqlite3.c:50586:31: runtime error: unsigned integer overflow: 10 - 100 cannot be represented in type 'unsigned int'
    sqlite3.c:50586:22: runtime error: unsigned integer overflow: 100 + 4294967206 cannot be represented in type 'unsigned int'
    sqlite3.c:68587:20: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'u32' (aka 'unsigned int')
    

Looking forward to your feedbacks on the bugs. Thanks!

Best, Jingxuan

(2) By Richard Hipp (drh) on 2021-06-30 19:47:11 in reply to 1 [link] [source]

Unsigned integer overflow is not an error in C.

The "shell.c" program is a command-line tool. The signed integer overflow errors you find there are in the built-in atoi()-like text-to-integer conversion routine that it part of that tool. You are passing in text strings that are too large to to be represented as a signed 64-bit integer, and so the conversion routine overflows. While technically this is undefined behavior, in practice it is completely harmless. I could add lots of complex logic to detect this problem and raise an fault, but that would be silly to do for a command-line tool like "sqlite3" so I'm not going to do it.

Wont-fix