[Bug 1700937] Re: Heap-buffer overflow in nodeAcquire
Even Rouault
1700937 at bugs.launchpad.net
Fri Jul 7 19:01:41 UTC 2017
@seth There's an error regarding the SQLite version number in the CVE
text. It should read "in SQLite before 3.17.0" (and not 3.11.0)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sqlite3 in Ubuntu.
https://bugs.launchpad.net/bugs/1700937
Title:
Heap-buffer overflow in nodeAcquire
Status in sqlite3 package in Ubuntu:
New
Bug description:
A heap-buffer overflow (sometimes a crash) can arise when running a
SQL request on malformed sqlite3 databases such as the one attached to
this ticket
{{{
$ valgrind sqlite3 clusterfuzz-testcase-minimized-4960347410661376 "SELECT pkid FROM 'idx_byte_metadata_geometry' WHERE xmax > 0 AND xmin < 0 AND ymax > 0 AND ymin < 0"
==21234== Memcheck, a memory error detector
==21234== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==21234== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==21234== Command: sqlite3 clusterfuzz-testcase-minimized-4960347410661376 SELECT\ pkid\ FROM\ 'idx_byte_metadata_geometry'\ WHERE\ xmax\ \>\ 0\ AND\ xmin\ \<\ 0\ AND\ ymax\ \>\ 0\ AND\ ymin\ \<\ 0
==21234== Invalid read of size 1
==21234== at 0x1B3945: nodeAcquire (in /usr/bin/sqlite3)
==21234== by 0x1B5056: rtreeFilter (in /usr/bin/sqlite3)
==21234== by 0x186EAA: sqlite3VdbeExec (in /usr/bin/sqlite3)
==21234== by 0x190316: sqlite3_step (in /usr/bin/sqlite3)
==21234== by 0x11886F: shell_exec.constprop.12 (in /usr/bin/sqlite3)
==21234== by 0x114693: main (in /usr/bin/sqlite3)
==21234== Address 0x5ae5b00 is 0 bytes after a block of size 48 alloc'd
==21234== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21234== by 0x14C176: sqlite3MemMalloc (in /usr/bin/sqlite3)
==21234== by 0x128380: sqlite3Malloc (in /usr/bin/sqlite3)
==21234== by 0x1B38DF: nodeAcquire (in /usr/bin/sqlite3)
==21234== by 0x1B5056: rtreeFilter (in /usr/bin/sqlite3)
==21234== by 0x186EAA: sqlite3VdbeExec (in /usr/bin/sqlite3)
==21234== by 0x190316: sqlite3_step (in /usr/bin/sqlite3)
==21234== by 0x11886F: shell_exec.constprop.12 (in /usr/bin/sqlite3)
==21234== by 0x114693: main (in /usr/bin/sqlite3)
}}}
This bug is no longer reproducible with at least sqlite3 3.17
{{{
$ valgrind ~/install-sqlite-3.17.0/bin/sqlite3 clusterfuzz-testcase-minimized-4960347410661376 "SELECT pkid FROM 'idx_byte_metadata_geometry' WHERE xmax > 0 AND xmin < 0 AND ymax > 0 AND ymin < 0"
==21265== Memcheck, a memory error detector
==21265== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==21265== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==21265== Command: /home/even/install-sqlite-3.17.0/bin/sqlite3 clusterfuzz-testcase-minimized-4960347410661376 SELECT\ pkid\ FROM\ 'idx_byte_metadata_geometry'\ WHERE\ xmax\ \>\ 0\ AND\ xmin\ \<\ 0\ AND\ ymax\ \>\ 0\ AND\ ymin\ \<\ 0
==21265==
Error: database disk image is malformed
}}}
This bug has been originally uncovered by OSS-Fuzz when running on the
GDAL library that uses libsqlite3: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=2405 (content not viewable during the grace
period)
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: sqlite3 3.11.0-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-79.100-generic 4.4.67
Uname: Linux 4.4.0-79-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
ApportVersion: 2.20.1-0ubuntu2.6
Architecture: amd64
CurrentDesktop: GNOME-Flashback:Unity
Date: Wed Jun 28 11:18:29 2017
InstallationDate: Installed on 2016-11-04 (235 days ago)
InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
SourcePackage: sqlite3
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937/+subscriptions
More information about the foundations-bugs
mailing list