Ubuntu
sqlite3 package

Null pointer dereference on '.dump' or 'SELECT * FROM sqlite_master' on corrupted file

Bug #1756349 reported by Even Rouault
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sqlite3 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Starting with sqlite 3.7.10 and up to latest sqlite 3.22.0/master, the following on the attached database causes a segmentation fault.
I can reproduce this on Ubuntu Xenial 16.04 with libsqlite3-0:amd64 3.11.0-1ubuntu1. Should also affect Ubuntu Trusty that ship with sqlite 3.8.2

$ echo ".dump" | valgrind sqlite3 gdal_ossfuzz_6964.db

==12781== Memcheck, a memory error detector
==12781== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==12781== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==12781== Command: .libs/sqlite3 /home/even/gdal/trunk/gdal/gdal_ossfuzz_6964.db
==12781==
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
==12781== Invalid read of size 8
==12781== at 0x4E9302B: sqlite3EndTable (sqlite3.c:82695)
==12781== by 0x4EC129A: yy_reduce (sqlite3.c:109734)
==12781== by 0x4EC4A2E: sqlite3Parser (sqlite3.c:110900)
==12781== by 0x4EC5896: sqlite3RunParser (sqlite3.c:111737)
==12781== by 0x4EA6FC2: sqlite3Prepare (sqlite3.c:94064)
==12781== by 0x4EA731F: sqlite3LockAndPrepare (sqlite3.c:94156)
==12781== by 0x4EA74B7: sqlite3_prepare (sqlite3.c:94219)
==12781== by 0x4EA61C6: sqlite3InitCallback (sqlite3.c:93538)
==12781== by 0x4EA1FDE: sqlite3_exec (sqlite3.c:90752)
==12781== by 0x4EA68AB: sqlite3InitOne (sqlite3.c:93784)
==12781== by 0x4EA6A96: sqlite3Init (sqlite3.c:93850)
==12781== by 0x4EA6B94: sqlite3ReadSchema (sqlite3.c:93887)
==12781== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==12781==
==12781==
==12781== Process terminating with default action of signal 11 (SIGSEGV)
==12781== Access not within mapped region at address 0x0
==12781== at 0x4E9302B: sqlite3EndTable (sqlite3.c:82695)
==12781== by 0x4EC129A: yy_reduce (sqlite3.c:109734)
==12781== by 0x4EC4A2E: sqlite3Parser (sqlite3.c:110900)
==12781== by 0x4EC5896: sqlite3RunParser (sqlite3.c:111737)
==12781== by 0x4EA6FC2: sqlite3Prepare (sqlite3.c:94064)
==12781== by 0x4EA731F: sqlite3LockAndPrepare (sqlite3.c:94156)
==12781== by 0x4EA74B7: sqlite3_prepare (sqlite3.c:94219)
==12781== by 0x4EA61C6: sqlite3InitCallback (sqlite3.c:93538)
==12781== by 0x4EA1FDE: sqlite3_exec (sqlite3.c:90752)
==12781== by 0x4EA68AB: sqlite3InitOne (sqlite3.c:93784)
==12781== by 0x4EA6A96: sqlite3Init (sqlite3.c:93850)
==12781== by 0x4EA6B94: sqlite3ReadSchema (sqlite3.c:93887)

This is a bug of the library and not the shell since the same occurs on this trivial C file

mytest.c:

{{{
#include <sqlite3.h>

int main(int argc, char* argv[])
{
    sqlite3* hDB = 0;
    int nRowCount = 0, nColCount = 0;
    char** papszResult = 0;
    sqlite3_open(argv[1], &hDB);
    if( !hDB )
        return 1;
    sqlite3_get_table( hDB, "SELECT * FROM sqlite_master",
                       &papszResult, &nRowCount, &nColCount,
                       0 );
    sqlite3_free_table(papszResult);
    sqlite3_close(hDB);
    return 0;
}
}}}

$ gcc -Wall mytest.c -o mytest -lsqlite3

$ valgrind ./mytest gdal_ossfuzz_6964.db
==24793== Memcheck, a memory error detector
==24793== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==24793== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==24793== Command: ./mytest /home/even/gdal/trunk/gdal/gdal_ossfuzz_6964.db
==24793==
==24793== Invalid read of size 8
==24793== at 0x4E9302B: sqlite3EndTable (sqlite3.c:82695)
==24793== by 0x4EC129A: yy_reduce (sqlite3.c:109734)
==24793== by 0x4EC4A2E: sqlite3Parser (sqlite3.c:110900)
==24793== by 0x4EC5896: sqlite3RunParser (sqlite3.c:111737)
==24793== by 0x4EA6FC2: sqlite3Prepare (sqlite3.c:94064)
==24793== by 0x4EA731F: sqlite3LockAndPrepare (sqlite3.c:94156)
==24793== by 0x4EA74B7: sqlite3_prepare (sqlite3.c:94219)
==24793== by 0x4EA61C6: sqlite3InitCallback (sqlite3.c:93538)
==24793== by 0x4EA1FDE: sqlite3_exec (sqlite3.c:90752)
==24793== by 0x4EA68AB: sqlite3InitOne (sqlite3.c:93784)
==24793== by 0x4EA6A96: sqlite3Init (sqlite3.c:93850)
==24793== by 0x4EA6B94: sqlite3ReadSchema (sqlite3.c:93887)
==24793== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==24793==

Based on the git clone at
https://github.com/mackyle/sqlite, I've bisected the first bad commit to be
{{{
fee0225c95052006f0776d837eeafd26b857db53 is the first bad commit
commit fee0225c95052006f0776d837eeafd26b857db53
Author: D. Richard Hipp <email address hidden>
Date: Wed Jan 11 15:47:42 2012 +0000

    Make the pager less vulnerable to problems caused by shifting sector sizes
    when rolling back a hot journal.

:040000 040000 84229496991a77e9600cadd39237de4f48cc9180 b374865f1168e3832fbf3e54c61704ae3c03c27e M src
}}}

This issue was initially found with oss-fuzz on GDAL per https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6964 . Credit to OSS-Fuzz

I'm emailing privately Richard Hipp <email address hidden> with this report.

CVE References

Revision history for this message
Even Rouault (even-rouault) wrote :
Revision history for this message
Even Rouault (even-rouault) wrote :

Richard Hipp just committed a fix in sqlite master. Apparently this must be https://www.sqlite.org/cgi/src/timeline?r=corrupt-schema

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Changed in sqlite3 (Ubuntu):
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Use CVE-2018-8740.

Thanks Even and Richard.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.