Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Initial code for a fuzzing tool on database file that works with the -fsanitize=fuzzer option of clang. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
90d12094d36957fbded71545add8a5dc |
| User & Date: | drh 2018-10-27 00:47:33 |
Context
|
2018-10-27
| ||
| 16:02 | Add an entry in Makefile.in to build dbfuzz2 using clang-6.0 with -fsanitize=fuzzer,undefined. check-in: a4a083ed user: drh tags: trunk | |
| 00:47 | Initial code for a fuzzing tool on database file that works with the -fsanitize=fuzzer option of clang. check-in: 90d12094 user: drh tags: trunk | |
|
2018-10-26
| ||
| 17:05 | Add the sqlite3session_config() interface. For configuring global parameters belonging to the sessions module. check-in: 1e69f3ff user: dan tags: trunk | |
Changes
Added test/dbfuzz2-seed1.db.
cannot compute difference between binary files
Added test/dbfuzz2.c.
1 +/* 2 +** 2018-10-26 3 +** 4 +** The author disclaims copyright to this source code. In place of 5 +** a legal notice, here is a blessing: 6 +** 7 +** May you do good and not evil. 8 +** May you find forgiveness for yourself and forgive others. 9 +** May you share freely, never taking more than you give. 10 +** 11 +************************************************************************* 12 +** 13 +** This program is designed for fuzz-testing SQLite database files using 14 +** the -fsanitize=fuzzer option of clang. 15 +** 16 +** The -fsanitize=fuzzer option causes a main() to be inserted automatically. 17 +** That main() invokes LLVMFuzzerTestOneInput(D,S) to be invoked repeatedly. 18 +** Each D is a fuzzed database file. The code in this file runs various 19 +** SQL statements against that database, trying to provoke a failure. 20 +** 21 +** For best results the seed database files should have these tables: 22 +** 23 +** Table "t1" with columns "a" and "b" 24 +** Tables "t2" and "t3 with the same number of compatible columns 25 +** "t3" should have a column names "x" 26 +** Table "t4" with a column "x" that is compatible with t3.x. 27 +** 28 +** Any of these tables can be virtual tables, for example FTS or RTree tables. 29 +** 30 +** To run this test: 31 +** 32 +** mkdir dir 33 +** cp dbfuzz2-seed*.db dir 34 +** clang-6.0 -I. -g -O1 -fsanitize=fuzzer \ 35 +** -DTHREADSAFE=0 -DSQLITE_ENABLE_DESERIALIZE \ 36 +** -DSQLITE_ENABLE_DBSTAT_VTAB dbfuzz2.c sqlite3.c -ldl 37 +** ./a.out dir 38 +*/ 39 +#include <assert.h> 40 +#include <stdio.h> 41 +#include <stdlib.h> 42 +#include <string.h> 43 +#include <stdarg.h> 44 +#include <ctype.h> 45 +#include <stdint.h> 46 +#include "sqlite3.h" 47 + 48 +/* 49 +** This is the is the SQL that is run against the database. 50 +*/ 51 +static const char *azSql[] = { 52 + "PRAGMA integrity_check;", 53 + "SELECT * FROM sqlite_master;", 54 + "SELECT sum(length(name)) FROM dbstat;", 55 + "UPDATE t1 SET b=a, a=b WHERE a<b;", 56 + "ALTER TABLE t1 RENAME TO alkjalkjdfiiiwuer987lkjwer82mx97sf98788s9789s;" 57 + "INSERT INTO t3 SELECT * FROM t2;", 58 + "DELETE FROM t3 WHERE x IN (SELECT x FROM t4);", 59 + "REINDEX;" 60 + "DROP TABLE t3;", 61 + "VACUUM;", 62 +}; 63 + 64 +int LLVMFuzzerTestOneInput(const uint8_t *aData, size_t nByte){ 65 + unsigned char *a; 66 + sqlite3 *db; 67 + int rc; 68 + int i; 69 + 70 + rc = sqlite3_open(":memory:", &db); 71 + if( rc ) return 1; 72 + a = sqlite3_malloc64(nByte); 73 + if( a==0 ) return 1; 74 + memcpy(a, aData, nByte); 75 + sqlite3_deserialize(db, "main", a, nByte, nByte, 76 + SQLITE_DESERIALIZE_RESIZEABLE | 77 + SQLITE_DESERIALIZE_FREEONCLOSE); 78 + for(i=0; i<sizeof(azSql)/sizeof(azSql[0]); i++){ 79 + sqlite3_exec(db, azSql[i], 0, 0, 0); 80 + } 81 + sqlite3_close(db); 82 + return 0; 83 +}