SQLite Forum

SegFault on Sqlite's lemon parser
Login

SegFault on Sqlite's lemon parser

(1) By r1gby (r1gby00) on 2021-03-10 12:29:39 [link] [source]

Hi,

While fuzzing the lemon parser, I got many unique segmentation fault. I will put one of them here as an example, but on which platform I can share all the crash files with you, because I may not have time to examine them all.

Here is the drive link for the below crash file, link

$lemon id:000222,sig:11,src:002968,time:32644136,op:havoc,rep:2
...
...
=================================================================
==14416==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55d04257427f at pc 0x55d042531f2b bp 0x7ffd86ee2a60 sp 0x7ffd86ee2a58
READ of size 1 at 0x55d04257427f thread T0
    #0 0x55d042531f2a in tplt_print /tmp/sqlite/tool/lemon.c:3710
    #1 0x55d042541566 in ReportTable /tmp/sqlite/tool/lemon.c:4414
    #2 0x55d04250eb2f in main /tmp/sqlite/tool/lemon.c:1772
    #3 0x7fb5e64d2d09 in __libc_start_main ../csu/libc-start.c:308
    #4 0x55d04250fc29 in _start (/tmp/sqlite/tool/lemon+0xdc29)

0x55d04257427f is located 33 bytes to the right of global variable '*.LC8' defined in 'lemon.c' (0x55d042574240) of size 30
  '*.LC8' is ascii string '  %.*s <-- syntax error here
'
0x55d04257427f is located 1 bytes to the left of global variable '*.LC9' defined in 'lemon.c' (0x55d042574280) of size 1
  '*.LC9' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow /tmp/sqlite/tool/lemon.c:3710 in tplt_print
Shadow bytes around the buggy address:
  0x0aba884a67f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aba884a6800: 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0aba884a6810: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0aba884a6820: 01 f9 f9 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
  0x0aba884a6830: 00 07 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
=>0x0aba884a6840: 00 00 00 07 f9 f9 f9 f9 00 00 00 06 f9 f9 f9[f9]
  0x0aba884a6850: 01 f9 f9 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
  0x0aba884a6860: 00 06 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0aba884a6870: 00 07 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x0aba884a6880: 00 00 00 00 00 00 03 f9 f9 f9 f9 f9 00 00 00 00
  0x0aba884a6890: 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==14416==ABORTING

GDB,

(gdb) r id:000222,sig:11,src:002968,time:32644136,op:havoc,rep:2
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /tmp/sqlite/tool/lemon id:000222,sig:11,src:002968,time:32644136,op:havoc,rep:2
id:000222,sig:11,src:002968,time:32644136,op:havoc,rep:2:0: The start symbol "arR" occurs on the right-hand side of a rule. This will result in a parser which does not work properly.
id:000222,sig:11,src:002968,time:32644136,op:havoc,rep:2:0: Nonterminal "aol" has no rules.
id:000222,sig:11,src:002968,time:32644136,op:havoc,rep:2:0: Nonterminal "l" has no rules.
id:000222,sig:11,src:002968,time:32644136,op:havoc,rep:2:0: Nonterminal "aol" has no rules.
id:000222,sig:11,src:002968,time:32644136,op:havoc,rep:2:6: This rule can not be reduced.

id:000222,sig:11,src:002968,time:32644136,op:havoc,rep:2:9: This rule can not be reduced.


Program received signal SIGSEGV, Segmentation fault.
0x000055555558d088 in ReportTable (lemp=<optimized out>, mhflag=<optimized out>, sqlFlag=<optimized out>) at lemon.c:4765
4765        fprintf(out,"  /* %4d */ \"%s\",\n",i, lemp->symbols[i]->name); lineno++;

(2) By Richard Hipp (drh) on 2021-03-10 12:55:45 in reply to 1 [source]

While fuzzing the lemon parser...

Why would you take the time to fuzz Lemon? It's a code generator, written in the 1980s, on a Sun4. It should never get hostile input. And if you do give it goofy input and it crashes, nobody much cares.

Complaining that Lemon stops working if you give it inputs specifically designed to make it fail is analogous to complaining that your car stops working if you steer it into a tree. Section 2.0 of the Lemon documentation proclaims as much. Inputs to Lemon should come from a responsible and professional programmer, only - not from random passers-by on the internet, nor from bots, nor from fuzzers. You wouldn't let a chimpanzee or a 5-year-old steer your car, would you? No, your car should only be operated by a licensed and responsible adult. In the same way, don't give crazy inputs to Lemon and you will be fine.

(3) By r1gby (r1gby00) on 2021-03-10 13:04:05 in reply to 2 [link] [source]

Thanks for the clarification.