/ Check-in [90d12094]
Login
SQLite training in Houston TX on 2019-11-05 (details)
Part of the 2019 Tcl Conference

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Initial code for a fuzzing tool on database file that works with the -fsanitize=fuzzer option of clang.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 90d12094d36957fbded71545add8a5dc206798fdacc17d4d161d715569a7f991
User & Date: drh 2018-10-27 00:47:33
Context
2018-10-27
16:02
Add an entry in Makefile.in to build dbfuzz2 using clang-6.0 with -fsanitize=fuzzer,undefined. check-in: a4a083ed user: drh tags: trunk
00:47
Initial code for a fuzzing tool on database file that works with the -fsanitize=fuzzer option of clang. check-in: 90d12094 user: drh tags: trunk
2018-10-26
17:05
Add the sqlite3session_config() interface. For configuring global parameters belonging to the sessions module. check-in: 1e69f3ff user: dan tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Added test/dbfuzz2-seed1.db.

cannot compute difference between binary files

Added test/dbfuzz2.c.

            1  +/*
            2  +** 2018-10-26
            3  +**
            4  +** The author disclaims copyright to this source code.  In place of
            5  +** a legal notice, here is a blessing:
            6  +**
            7  +**    May you do good and not evil.
            8  +**    May you find forgiveness for yourself and forgive others.
            9  +**    May you share freely, never taking more than you give.
           10  +**
           11  +*************************************************************************
           12  +**
           13  +** This program is designed for fuzz-testing SQLite database files using
           14  +** the -fsanitize=fuzzer option of clang.
           15  +**
           16  +** The -fsanitize=fuzzer option causes a main() to be inserted automatically.
           17  +** That main() invokes LLVMFuzzerTestOneInput(D,S) to be invoked repeatedly.
           18  +** Each D is a fuzzed database file.  The code in this file runs various
           19  +** SQL statements against that database, trying to provoke a failure.
           20  +**
           21  +** For best results the seed database files should have these tables:
           22  +**
           23  +**   Table "t1" with columns "a" and "b"
           24  +**   Tables "t2" and "t3 with the same number of compatible columns
           25  +**       "t3" should have a column names "x"
           26  +**   Table "t4" with a column "x" that is compatible with t3.x.
           27  +**
           28  +** Any of these tables can be virtual tables, for example FTS or RTree tables.
           29  +**
           30  +** To run this test:
           31  +**
           32  +**     mkdir dir
           33  +**     cp dbfuzz2-seed*.db dir
           34  +**     clang-6.0 -I. -g -O1 -fsanitize=fuzzer \
           35  +**       -DTHREADSAFE=0 -DSQLITE_ENABLE_DESERIALIZE \
           36  +**       -DSQLITE_ENABLE_DBSTAT_VTAB dbfuzz2.c sqlite3.c -ldl
           37  +**     ./a.out dir
           38  +*/
           39  +#include <assert.h>
           40  +#include <stdio.h>
           41  +#include <stdlib.h>
           42  +#include <string.h>
           43  +#include <stdarg.h>
           44  +#include <ctype.h>
           45  +#include <stdint.h>
           46  +#include "sqlite3.h"
           47  +
           48  +/*
           49  +** This is the is the SQL that is run against the database.
           50  +*/
           51  +static const char *azSql[] = {
           52  +  "PRAGMA integrity_check;",
           53  +  "SELECT * FROM sqlite_master;",
           54  +  "SELECT sum(length(name)) FROM dbstat;",
           55  +  "UPDATE t1 SET b=a, a=b WHERE a<b;",
           56  +  "ALTER TABLE t1 RENAME TO alkjalkjdfiiiwuer987lkjwer82mx97sf98788s9789s;"
           57  +  "INSERT INTO t3 SELECT * FROM t2;",
           58  +  "DELETE FROM t3 WHERE x IN (SELECT x FROM t4);",
           59  +  "REINDEX;"
           60  +  "DROP TABLE t3;",
           61  +  "VACUUM;",
           62  +};
           63  +
           64  +int LLVMFuzzerTestOneInput(const uint8_t *aData, size_t nByte){
           65  +  unsigned char *a;
           66  +  sqlite3 *db;
           67  +  int rc;
           68  +  int i;
           69  +
           70  +  rc = sqlite3_open(":memory:", &db);
           71  +  if( rc ) return 1;
           72  +  a = sqlite3_malloc64(nByte);
           73  +  if( a==0 ) return 1;
           74  +  memcpy(a, aData, nByte);
           75  +  sqlite3_deserialize(db, "main", a, nByte, nByte,
           76  +        SQLITE_DESERIALIZE_RESIZEABLE |
           77  +        SQLITE_DESERIALIZE_FREEONCLOSE);
           78  +  for(i=0; i<sizeof(azSql)/sizeof(azSql[0]); i++){
           79  +    sqlite3_exec(db, azSql[i], 0, 0, 0);
           80  +  }
           81  +  sqlite3_close(db);
           82  +  return 0;
           83  +}