Heap-buffer overflow in nodeAcquire
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sqlite3 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
A heap-buffer overflow (sometimes a crash) can arise when running a SQL request on malformed sqlite3 databases such as the one attached to this ticket
{{{
$ valgrind sqlite3 clusterfuzz-
==21234== Memcheck, a memory error detector
==21234== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==21234== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==21234== Command: sqlite3 clusterfuzz-
==21234== Invalid read of size 1
==21234== at 0x1B3945: nodeAcquire (in /usr/bin/sqlite3)
==21234== by 0x1B5056: rtreeFilter (in /usr/bin/sqlite3)
==21234== by 0x186EAA: sqlite3VdbeExec (in /usr/bin/sqlite3)
==21234== by 0x190316: sqlite3_step (in /usr/bin/sqlite3)
==21234== by 0x11886F: shell_exec.
==21234== by 0x114693: main (in /usr/bin/sqlite3)
==21234== Address 0x5ae5b00 is 0 bytes after a block of size 48 alloc'd
==21234== at 0x4C2DB8F: malloc (in /usr/lib/
==21234== by 0x14C176: sqlite3MemMalloc (in /usr/bin/sqlite3)
==21234== by 0x128380: sqlite3Malloc (in /usr/bin/sqlite3)
==21234== by 0x1B38DF: nodeAcquire (in /usr/bin/sqlite3)
==21234== by 0x1B5056: rtreeFilter (in /usr/bin/sqlite3)
==21234== by 0x186EAA: sqlite3VdbeExec (in /usr/bin/sqlite3)
==21234== by 0x190316: sqlite3_step (in /usr/bin/sqlite3)
==21234== by 0x11886F: shell_exec.
==21234== by 0x114693: main (in /usr/bin/sqlite3)
}}}
This bug is no longer reproducible with at least sqlite3 3.17
{{{
$ valgrind ~/install-
==21265== Memcheck, a memory error detector
==21265== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==21265== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==21265== Command: /home/even/
==21265==
Error: database disk image is malformed
}}}
This bug has been originally uncovered by OSS-Fuzz when running on the GDAL library that uses libsqlite3: https:/
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: sqlite3 3.11.0-1ubuntu1
ProcVersionSign
Uname: Linux 4.4.0-79-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.1-0ubuntu2.6
Architecture: amd64
CurrentDesktop: GNOME-Flashback
Date: Wed Jun 28 11:18:29 2017
InstallationDate: Installed on 2016-11-04 (235 days ago)
InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
SourcePackage: sqlite3
UpgradeStatus: No upgrade log present (probably fresh install)
CVE References
information type: | Private Security → Public Security |
Changed in sqlite3 (Ubuntu): | |
status: | New → Confirmed |
I've run git bisect on the https:/ /github. com/mackyle/ sqlite mirror of sqlite3 source code repository and spotted that the following commit fixes the issue : /github. com/mackyle/ sqlite/ commit/ ce015fb42bbb6ca fdbfc9b028c2ec0 626a8f3217
https:/
This applies almost on top of sqlite 3.11.0 sources:
$ patch -p1 < /tmp/tmp.patch rtree.c. rej
patching file ext/rtree/rtree.c
Hunk #1 succeeded at 132 (offset -1 lines).
Hunk #2 succeeded at 506 (offset -113 lines).
Hunk #3 succeeded at 524 (offset -113 lines).
Hunk #4 succeeded at 541 (offset -113 lines).
Hunk #5 succeeded at 819 (offset -116 lines).
Hunk #6 succeeded at 858 (offset -116 lines).
Hunk #7 succeeded at 2961 (offset -220 lines).
Hunk #8 succeeded at 3002 (offset -220 lines).
Hunk #9 succeeded at 3055 (offset -227 lines).
Hunk #10 FAILED at 3490.
1 out of 10 hunks FAILED -- saving rejects to file ext/rtree/
The reject is rtree.c. rej >zDb[nDb+ 1]; >nBytesPerCell = 8 + pRtree->nDim2*4; >eCoordType = (u8)eCoordType; pRtree- >zDb, argv[1], nDb);
$ cat ext/rtree/
--- ext/rtree/rtree.c
+++ ext/rtree/rtree.c
@@ -3490,7 +3540,7 @@ static int rtreeInit(
pRtree->zDb = (char *)&pRtree[1];
pRtree->zName = &pRtree-
pRtree->nDim = (u8)((argc-4)/2);
- pRtree->nDim2 = argc - 4;
+ pRtree->nDim2 = pRtree->nDim*2;
pRtree-
pRtree-
memcpy(
The nDim2 member doesn't exist in sqlite 3.11.0
I've attached the "clean" patch derived from this.