[Bug 1700937] Re: Heap-buffer overflow in nodeAcquire

Ubuntu Foundations Team Bug Bot 1700937 at bugs.launchpad.net
Thu Jul 6 08:23:52 UTC 2017 

The attachment "Proposed patch to apply on top of sqlite 3.11.0" seems
to be a patch.  If it isn't, please remove the "patch" flag from the
attachment, remove the "patch" tag, and if you are a member of the
~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issues please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sqlite3 in Ubuntu.
https://bugs.launchpad.net/bugs/1700937

Title:
  Heap-buffer overflow in nodeAcquire

Status in sqlite3 package in Ubuntu:
  New

Bug description:
  A heap-buffer overflow (sometimes a crash) can arise when running a
  SQL request on malformed sqlite3 databases such as the one attached to
  this ticket

  {{{
  $ valgrind sqlite3 clusterfuzz-testcase-minimized-4960347410661376 "SELECT pkid FROM 'idx_byte_metadata_geometry' WHERE xmax > 0 AND xmin < 0 AND ymax > 0 AND ymin < 0"
  ==21234== Memcheck, a memory error detector
  ==21234== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
  ==21234== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
  ==21234== Command: sqlite3 clusterfuzz-testcase-minimized-4960347410661376 SELECT\ pkid\ FROM\ 'idx_byte_metadata_geometry'\ WHERE\ xmax\ \>\ 0\ AND\ xmin\ \<\ 0\ AND\ ymax\ \>\ 0\ AND\ ymin\ \<\ 0
  ==21234== Invalid read of size 1
  ==21234==    at 0x1B3945: nodeAcquire (in /usr/bin/sqlite3)
  ==21234==    by 0x1B5056: rtreeFilter (in /usr/bin/sqlite3)
  ==21234==    by 0x186EAA: sqlite3VdbeExec (in /usr/bin/sqlite3)
  ==21234==    by 0x190316: sqlite3_step (in /usr/bin/sqlite3)
  ==21234==    by 0x11886F: shell_exec.constprop.12 (in /usr/bin/sqlite3)
  ==21234==    by 0x114693: main (in /usr/bin/sqlite3)
  ==21234==  Address 0x5ae5b00 is 0 bytes after a block of size 48 alloc'd
  ==21234==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==21234==    by 0x14C176: sqlite3MemMalloc (in /usr/bin/sqlite3)
  ==21234==    by 0x128380: sqlite3Malloc (in /usr/bin/sqlite3)
  ==21234==    by 0x1B38DF: nodeAcquire (in /usr/bin/sqlite3)
  ==21234==    by 0x1B5056: rtreeFilter (in /usr/bin/sqlite3)
  ==21234==    by 0x186EAA: sqlite3VdbeExec (in /usr/bin/sqlite3)
  ==21234==    by 0x190316: sqlite3_step (in /usr/bin/sqlite3)
  ==21234==    by 0x11886F: shell_exec.constprop.12 (in /usr/bin/sqlite3)
  ==21234==    by 0x114693: main (in /usr/bin/sqlite3)
  }}}

  This bug is no longer reproducible with at least sqlite3 3.17

  {{{
  $ valgrind ~/install-sqlite-3.17.0/bin/sqlite3 clusterfuzz-testcase-minimized-4960347410661376 "SELECT pkid FROM 'idx_byte_metadata_geometry' WHERE xmax > 0 AND xmin < 0 AND ymax > 0 AND ymin < 0"
  ==21265== Memcheck, a memory error detector
  ==21265== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
  ==21265== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
  ==21265== Command: /home/even/install-sqlite-3.17.0/bin/sqlite3 clusterfuzz-testcase-minimized-4960347410661376 SELECT\ pkid\ FROM\ 'idx_byte_metadata_geometry'\ WHERE\ xmax\ \>\ 0\ AND\ xmin\ \<\ 0\ AND\ ymax\ \>\ 0\ AND\ ymin\ \<\ 0
  ==21265== 
  Error: database disk image is malformed
  }}}

  This bug has been originally uncovered by OSS-Fuzz when running on the
  GDAL library that uses libsqlite3: https://bugs.chromium.org/p/oss-
  fuzz/issues/detail?id=2405 (content not viewable during the grace
  period)

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: sqlite3 3.11.0-1ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-79.100-generic 4.4.67
  Uname: Linux 4.4.0-79-generic x86_64
  NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
  ApportVersion: 2.20.1-0ubuntu2.6
  Architecture: amd64
  CurrentDesktop: GNOME-Flashback:Unity
  Date: Wed Jun 28 11:18:29 2017
  InstallationDate: Installed on 2016-11-04 (235 days ago)
  InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
  SourcePackage: sqlite3
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937/+subscriptions

More information about the foundations-bugs mailing list