SQLite Forum

Timeline
Login

6 forum posts by user 798532734

2021-07-09
08:52 Reply: Segmentation fault in idxGetTableInfo (artifact: 718c0a8d17 user: 798532734)

Thanks for quick fix

2021-07-08
10:28 Edit: Segmentation fault in idxGetTableInfo (artifact: 78165fa250 user: 798532734)

Describe

There is a segmentation fault in idxGetTableInfo,causing sqlite3 crashed.

VERSION

git-master (commit 9d41caf361ea37e7bb91c3e0635bd9dca9f06040)

trunk (8c432642572c8c4b7251f413def0725b3b8e9e7fe10230aa0aabe86b58e5902d)

date: 2021-07-07 19:44:32

System info

Ubuntu 18.04.5 LTS

clang version 10.0.0

POC content

create TEMP  table t1(allint);1;
CREATE TRIGGER t02AFTER DELETE ON t1
WHEN EXISTS ( SELECT 1 FROM t0 WHERE o00.x0= y5)
BEGIN
INSERT INTO t0 VALUES(o00.x);
END;
C@EATE TABLE a0(y RE FM t1 
CREATE TRIGGER t00 AFTER DELETE ON t1
WHE0)FROM t1;
INSERT INTO t1 SELECT x+8,randomblb(400)FROM t1;
INSERT INTO t1 SELECT x+16,randomblob(400)FROM t1;
INSERT INTO t1 SELECT x+32,randomblob(400)FROM t1;
 INTO t1 VALUES(74,raOM t1;   /*  16 */
SZVEPOINT one;
INSERT INTO t120) null, L000000000000000礸t(20WAL;
PRAGMA cache_size = 10;
CREATE TABLE t1120) null, L000000000000000 text(20) null, U000, U000000000000000>text(300) nullC L00000000000000D text(50) nulldomblob(800) FROM t1;   /*   2 */
INSERT INTO t1 SELECT randomblob(8ll, P000000 text(50) n*/                                                                                                                                                                                                                   ÿSERT INTO t1 SELECTGrandomblob(802001%112010) FROM t1;  ;/*   8 */
INSERT INTO tH SELECT randomblob(000) FROM t1;   /*  16 */
SZVEPOINT one;
INSERT INTO t120) null, L000000000000000 text000D text(50) null, F00000000000 text(100) not null,*R0000000 int not null, S00000000) not null, A0000000000 text(30) not null, L0000000 text(200) not null, A00000000000000000 int not null, R00000 int not null, N000000000000 text(1) nÿl, N0000000000000 text(1) null, N00000000 text(1) null, N000000E00000000 text(1) null, N000000000000ÿÿ0 
CREATE TABLE T00(C00 inX000)0,S0000 int not null, L00000000000000 text(50) not nukl, P000000 text(50) null, ISSUEID text(50) not null, OB0ECTID text(50) not null, R0000000000 int not null, C0000000000 text(50) not nulR, A0000000 text(50) not null, C000 text(20) null, L0 CROM t1;   /*   2 */ U000 int00000, P00000000000000 int00000, L000000 int00000, L00000000 int00000, U000000000M int00000, L000000 int00000, L0ERT INTO t1 VALUES(randomblob(800));t SELECT randomblob(800
INSERT INTO t1 SELECT randomblob(800) FROM t1;   /*  RT = WAL;
PRAGMA cachepoint;
INSERT INTO t1 VALUES(randomblob(800));VACUUM;
 FROM t1;   /*   2 */ randomblob(800
INSERT INTO t1 SELECT randomblob(800
PRAGMA wl_checkpoint;
INSERT INTO t1 VALUES(randoMblob(800));VACUUM;
INSEme;
ATTACH'merory:' AS noname;AL;
PRAGMA cache_size= V0;CREATE T0;
CREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkAS noname;
ATTACH'merory:' AS inmǭJ±;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = lAL;
PRAGMA cachb_size= V0;CREATE T0;
CREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INTO t1 VALUES(rd null, C0000000000 text(50) not null, A00000nmǭJ±;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = lAL;
PRAGMA cache_size= V0;CREATE T0;
CREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INTO t1 VALUES(randomblob(800));VACUUM;
INSERT INT- tÿÿÿme;
ATTACH'merory:' AS inm§mJ±;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = WAL;
PRAGMA cache_size= V0;CREATE T0;
CREATE TABLEÿÿx PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INTO t1 VALUES(randomblob(800));VACUUM;
 CROM t1;   /*   2 */ randomblob(800
INSERT INTO t1 SELECT randomblob(800) FROM t1;   /*  RT = WAL;
PRAGMA caory:' AS inm§mJ±;
PRAGMA tage_size = 1RAGMA journal_mode = WAL;2 */
INSERT INTO t1 SELECT randomblob(800
PRAGMA wl]checkpoint;
IN ERT INTO t1 VALUES(randoMblob(800));VACUUM;
INSERT INTO t1 SEme;
ATTACH'merory:' AS noname;
ATTACH'merory:' AS A cache_size;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = lAL;
PRAGMA cache_s10) FROM t1; ATE T0;
CREATE TABLE t1TTACH'merory:' AS 0;
CREATE TABLE tF(x PRIMARY KEY);
PRAGMA wal_chBckpoint;
INSERT INTO t1ALUES(randomblob(800));VA 
ώώώ
   J
/
.expe
      -
-s 1:
/
.expώώώώώώώώώώώώώώώώώώώώώώLECT randomblob(800) FROM t1;   /*  RT = WAL;
PRAGMA cache_size= V0;CREA0;
AREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INinmGmJme;

ASAN OUTPUT

==46696==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2d6f5974e1 bp 0x7ffeecd46930 sp 0x7ffeecd460e8 T0)
==46696==The signal is caused by a READ memory access.
==46696==Hint: address points to the zero page.
    #0 0x7f2d6f5974e1  /build/glibc-S9d2JN/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
    #1 0x42f058 in strlen /home/brian/src/final/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc
    #2 0x5282b8 in idxGetTableInfo (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x5282b8)
    #3 0x4d3091 in idxCreateVtabSchema (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4d3091)
    #4 0x4d27e4 in sqlite3_expert_new (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4d27e4)
    #5 0x5426f5 in expertDotCommand (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x5426f5)
    #6 0x4e3df0 in do_meta_command (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4e3df0)
    #7 0x4fbe79 in process_input (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4fbe79)
    #8 0x4dc0c7 in main (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4dc0c7)
    #9 0x7f2d6f42abf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41c579 in _start (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x41c579)

10:15 Reply: Segmentation fault in idxGetTableInfo (artifact: 66b3a4817d user: 798532734)

ok,thanks

09:24 Post: Segmentation fault in idxGetTableInfo (artifact: 01db8e811c user: 798532734)

Describe

There is a segmentation fault in idxGetTableInfo,causing sqlite3 crashed.

VERSION

git-master (commit 9d41caf361ea37e7bb91c3e0635bd9dca9f06040)

Commits on Jul 8, 2021

System info

Ubuntu 18.04.5 LTS

clang version 10.0.0

POC content

create TEMP  table t1(allint);1;
CREATE TRIGGER t02AFTER DELETE ON t1
WHEN EXISTS ( SELECT 1 FROM t0 WHERE o00.x0= y5)
BEGIN
INSERT INTO t0 VALUES(o00.x);
END;
C@EATE TABLE a0(y RE FM t1 
CREATE TRIGGER t00 AFTER DELETE ON t1
WHE0)FROM t1;
INSERT INTO t1 SELECT x+8,randomblb(400)FROM t1;
INSERT INTO t1 SELECT x+16,randomblob(400)FROM t1;
INSERT INTO t1 SELECT x+32,randomblob(400)FROM t1;
 INTO t1 VALUES(74,raOM t1;   /*  16 */
SZVEPOINT one;
INSERT INTO t120) null, L000000000000000礸t(20WAL;
PRAGMA cache_size = 10;
CREATE TABLE t1120) null, L000000000000000 text(20) null, U000, U000000000000000>text(300) nullC L00000000000000D text(50) nulldomblob(800) FROM t1;   /*   2 */
INSERT INTO t1 SELECT randomblob(8ll, P000000 text(50) n*/                                                                                                                                                                                                                   ÿSERT INTO t1 SELECTGrandomblob(802001%112010) FROM t1;  ;/*   8 */
INSERT INTO tH SELECT randomblob(000) FROM t1;   /*  16 */
SZVEPOINT one;
INSERT INTO t120) null, L000000000000000 text000D text(50) null, F00000000000 text(100) not null,*R0000000 int not null, S00000000) not null, A0000000000 text(30) not null, L0000000 text(200) not null, A00000000000000000 int not null, R00000 int not null, N000000000000 text(1) nÿl, N0000000000000 text(1) null, N00000000 text(1) null, N000000E00000000 text(1) null, N000000000000ÿÿ0 
CREATE TABLE T00(C00 inX000)0,S0000 int not null, L00000000000000 text(50) not nukl, P000000 text(50) null, ISSUEID text(50) not null, OB0ECTID text(50) not null, R0000000000 int not null, C0000000000 text(50) not nulR, A0000000 text(50) not null, C000 text(20) null, L0 CROM t1;   /*   2 */ U000 int00000, P00000000000000 int00000, L000000 int00000, L00000000 int00000, U000000000M int00000, L000000 int00000, L0ERT INTO t1 VALUES(randomblob(800));t SELECT randomblob(800
INSERT INTO t1 SELECT randomblob(800) FROM t1;   /*  RT = WAL;
PRAGMA cachepoint;
INSERT INTO t1 VALUES(randomblob(800));VACUUM;
 FROM t1;   /*   2 */ randomblob(800
INSERT INTO t1 SELECT randomblob(800
PRAGMA wl_checkpoint;
INSERT INTO t1 VALUES(randoMblob(800));VACUUM;
INSEme;
ATTACH'merory:' AS noname;AL;
PRAGMA cache_size= V0;CREATE T0;
CREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkAS noname;
ATTACH'merory:' AS inmǭJ±;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = lAL;
PRAGMA cachb_size= V0;CREATE T0;
CREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INTO t1 VALUES(rd null, C0000000000 text(50) not null, A00000nmǭJ±;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = lAL;
PRAGMA cache_size= V0;CREATE T0;
CREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INTO t1 VALUES(randomblob(800));VACUUM;
INSERT INT- tÿÿÿme;
ATTACH'merory:' AS inm§mJ±;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = WAL;
PRAGMA cache_size= V0;CREATE T0;
CREATE TABLEÿÿx PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INTO t1 VALUES(randomblob(800));VACUUM;
 CROM t1;   /*   2 */ randomblob(800
INSERT INTO t1 SELECT randomblob(800) FROM t1;   /*  RT = WAL;
PRAGMA caory:' AS inm§mJ±;
PRAGMA tage_size = 1RAGMA journal_mode = WAL;2 */
INSERT INTO t1 SELECT randomblob(800
PRAGMA wl]checkpoint;
IN ERT INTO t1 VALUES(randoMblob(800));VACUUM;
INSERT INTO t1 SEme;
ATTACH'merory:' AS noname;
ATTACH'merory:' AS A cache_size;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = lAL;
PRAGMA cache_s10) FROM t1; ATE T0;
CREATE TABLE t1TTACH'merory:' AS 0;
CREATE TABLE tF(x PRIMARY KEY);
PRAGMA wal_chBckpoint;
INSERT INTO t1ALUES(randomblob(800));VA 
ώώώ
   J
/
.expe
      -
-s 1:
/
.expώώώώώώώώώώώώώώώώώώώώώώLECT randomblob(800) FROM t1;   /*  RT = WAL;
PRAGMA cache_size= V0;CREA0;
AREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INinmGmJme;

ASAN OUTPUT

==46696==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2d6f5974e1 bp 0x7ffeecd46930 sp 0x7ffeecd460e8 T0)
==46696==The signal is caused by a READ memory access.
==46696==Hint: address points to the zero page.
    #0 0x7f2d6f5974e1  /build/glibc-S9d2JN/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
    #1 0x42f058 in strlen /home/brian/src/final/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc
    #2 0x5282b8 in idxGetTableInfo (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x5282b8)
    #3 0x4d3091 in idxCreateVtabSchema (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4d3091)
    #4 0x4d27e4 in sqlite3_expert_new (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4d27e4)
    #5 0x5426f5 in expertDotCommand (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x5426f5)
    #6 0x4e3df0 in do_meta_command (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4e3df0)
    #7 0x4fbe79 in process_input (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4fbe79)
    #8 0x4dc0c7 in main (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4dc0c7)
    #9 0x7f2d6f42abf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41c579 in _start (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x41c579)

08:56 Edit: (Deleted) (artifact: 6c6b9bf698 user: 798532734)
Deleted
08:51 Post: (Deleted) (artifact: ea41364652 user: 798532734)

#Query create TEMP table t1(allint);1; CREATE TRIGGER t02AFTER DELETE ON t1 WHEN EXISTS ( SELECT 1 FROM t0 WHERE o00.x0= y5) BEGIN INSERT INTO t0 VALUES(o00.x); END; C@EATE TABLE a0(y RE FM t1 CREATE TRIGGER t00 AFTER DELETE ON t1 WHE0)FROM t1; INSERT INTO t1 SELECT x+8,randomblb(400)FROM t1; INSERT INTO t1 SELECT x+16,randomblob(400)FROM t1; INSERT INTO t1 SELECT x+32,randomblob(400)FROM t1; INTO t1 VALUES(74,raOM t1; /* 16 / SZVEPOINT one; INSERT INTO t120) null, L000000000000000礸t(20WAL; PRAGMA cache_size = 10; CREATE TABLE t1120) null, L000000000000000 text(20) null, U000, U000000000000000>text(300) nullC L00000000000000D text(50) nulldomblob(800) FROM t1; / 2 / INSERT INTO t1 SELECT randomblob(8ll, P000000 text(50) n/ ÿSERT INTO t1 SELECTGrandomblob(802001%112010) FROM t1; ;/* 8 / INSERT INTO tH SELECT randomblob(000) FROM t1; / 16 / SZVEPOINT one; INSERT INTO t120) null, L000000000000000 text000D text(50) null, F00000000000 text(100) not null,*R0000000 int not null, S00000000) not null, A0000000000 text(30) not null, L0000000 text(200) not null, A00000000000000000 int not null, R00000 int not null, N000000000000 text(1) nÿl, N0000000000000 text(1) null, N00000000 text(1) null, N000000E00000000 text(1) null, N000000000000ÿÿ0 CREATE TABLE T00(C00 inX000)0,S0000 int not null, L00000000000000 text(50) not nukl, P000000 text(50) null, ISSUEID text(50) not null, OB0ECTID text(50) not null, R0000000000 int not null, C0000000000 text(50) not nulR, A0000000 text(50) not null, C000 text(20) null, L0 CROM t1; / 2 / U000 int00000, P00000000000000 int00000, L000000 int00000, L00000000 int00000, U000000000M int00000, L000000 int00000, L0ERT INTO t1 VALUES(randomblob(800));t SELECT randomblob(800 INSERT INTO t1 SELECT randomblob(800) FROM t1; / RT = WAL; PRAGMA cachepoint; INSERT INTO t1 VALUES(randomblob(800));VACUUM; FROM t1; /* 2 / randomblob(800 INSERT INTO t1 SELECT randomblob(800 PRAGMA wl_checkpoint; INSERT INTO t1 VALUES(randoMblob(800));VACUUM; INSEme; ATTACH'merory:' AS noname;AL; PRAGMA cache_size= V0;CREATE T0; CREATE TABLE t1(x PRIMARY KEY); PRAGMA wal_checkAS noname; ATTACH'merory:' AS inmǭJ±; PRAGMA tage_size = 1024; PRAGMA journal_mode = lAL; PRAGMA cachb_size= V0;CREATE T0; CREATE TABLE t1(x PRIMARY KEY); PRAGMA wal_checkpoint; INSERT INTO t1 VALUES(rd null, C0000000000 text(50) not null, A00000nmǭJ±; PRAGMA tage_size = 1024; PRAGMA journal_mode = lAL; PRAGMA cache_size= V0;CREATE T0; CREATE TABLE t1(x PRIMARY KEY); PRAGMA wal_checkpoint; INSERT INTO t1 VALUES(randomblob(800));VACUUM; INSERT INT- tÿÿÿme; ATTACH'merory:' AS inm§mJ±; PRAGMA tage_size = 1024; PRAGMA journal_mode = WAL; PRAGMA cache_size= V0;CREATE T0; CREATE TABLEÿÿx PRIMARY KEY); PRAGMA wal_checkpoint; INSERT INTO t1 VALUES(randomblob(800));VACUUM; CROM t1; / 2 / randomblob(800 INSERT INTO t1 SELECT randomblob(800) FROM t1; / RT = WAL; PRAGMA caory:' AS inm§mJ±; PRAGMA tage_size = 1RAGMA journal_mode = WAL;2 / INSERT INTO t1 SELECT randomblob(800 PRAGMA wl]checkpoint; IN ERT INTO t1 VALUES(randoMblob(800));VACUUM; INSERT INTO t1 SEme; ATTACH'merory:' AS noname; ATTACH'merory:' AS A cache_size; PRAGMA tage_size = 1024; PRAGMA journal_mode = lAL; PRAGMA cache_s10) FROM t1; ATE T0; CREATE TABLE t1TTACH'merory:' AS 0; CREATE TABLE tF(x PRIMARY KEY); PRAGMA wal_chBckpoint; INSERT INTO t1ALUES(randomblob(800));VA ώώώ J / .expe - -s 1: / .expώώώώώώώώώώώώώώώώώώώώώώLECT randomblob(800) FROM t1; / RT = WAL; PRAGMA cache_size= V0;CREA0; AREATE TABLE t1(x PRIMARY KEY); PRAGMA wal_checkpoint; INSERT INinmGmJme;

#Version git-mast (commit 9d41caf361ea37e7bb91c3e0635bd9dca9f06040)

Commits on Jul 8, 2021

#ASAN output

==13234==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f30d207a4e1 bp 0x7ffe60e094b0 sp 0x7ffe60e08c68 T0)

==13234==The signal is caused by a READ memory access.

==13234==Hint: address points to the zero page.

#0 0x7f30d207a4e1  /build/glibc-S9d2JN/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65

#1 0x42f058 in strlen /home/brian/src/final/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc

#2 0x5282b8 in idxGetTableInfo (/sqlite/crash/build/sqlite3+0x5282b8)

#3 0x4d3091 in idxCreateVtabSchema (/unifuzz/sqlite/crash/build/sqlite3+0x4d3091)

#4 0x4d27e4 in sqlite3_expert_new (/sqlite/crash/build/sqlite3+0x4d27e4)

#5 0x5426f5 in expertDotCommand (/sqlite/crash/build/sqlite3+0x5426f5)

#6 0x4e3df0 in do_meta_command (/sqlite/crash/build/sqlite3+0x4e3df0)

#7 0x4fbe79 in process_input (/sqlite/crash/build/sqlite3+0x4fbe79)

#8 0x4dc00d in main (/sqlite/crash/build/sqlite3+0x4dc00d)

#9 0x7f30d1f0dbf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310

#10 0x41c579 in _start (/sqlite/crash/build/sqlite3+0x41c579)