Closed
Bug 1234698
Opened 10 years ago
Closed 9 years ago
Upgrade NSS's SQLite to 3.10.2
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(firefox46 affected)
RESOLVED
FIXED
3.23
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | affected |
People
(Reporter: jld, Assigned: jld)
References
Details
Attachments
(1 file, 1 obsolete file)
|
648.90 KB,
application/octet-stream
|
Details |
The SQLite version currently in NSS, 3.7.15, has at least one bug that Address Sanitizer considers a buffer overrun.
(I don't think this needs to be a security bug. In practice it's harmless enough that SQLite's impressive test coverage didn't catch it, although if any of the uses involve heap memory and an attacker can manipulate heap layout then it might be possible to cause a non-exploitable crash via reading unmapped memory. But it's also been public since March 2013.)
This was fixed in 3.7.16, but I assume we'd want to upgrade to the latest stable SQLite.
Further reading:
* https://crbug.com/178677 — original discovery
* https://www.sqlite.org/src/info/d73435587b — upstream fix
* http://trust-in-soft.com/memcmp-requires-pointers-to-fully-valid-buffers/ — a coincidentally timely discussion of this kind of bug and what it's capable of
|
||
Comment 1•10 years ago
|
||
Bug 1176293 Comment 3 should give a workaround. But we probably should simply update the sqlite version.
See Also: → 1176293
|
Assignee | |
Comment 2•10 years ago
|
||
Work in progress: I copied Gecko's version of sqlite.[ch] from directly after its update to 3.7.16 and reapplied NSS's change to make warnings-as-errors builds work; this is probably not the right way to do this, but it gets ASan test runs to pass.
https://bugzilla.mozilla.org/show_bug.cgi?id=1237324
Would it be possible to update to SQLite 3.10.0(latest stable upstream release)?
|
|
Assignee | |
Comment 4•9 years ago
|
||
(In reply to NVD from comment #3)
> https://bugzilla.mozilla.org/show_bug.cgi?id=1237324
>
> Would it be possible to update to SQLite 3.10.0(latest stable upstream
> release)?
It should be. I just need to do the import and test it (and figure out who rubber-stamps that kind of thing for NSS).
|
|
Assignee | |
Comment 5•9 years ago
|
||
Also… if I export the commit as a patch, it's 11 MiB uncompressed. I can get it down to 1.5 MiB with xz, but I'm not sure how useful that is. It's just copying the sqlite3.[hc] files from the sqlite-amalgamation-3100100.zip over the ones in lib/sqlite; I didn't need to do anything else to make them build and pass the DB tests.
|
|
Assignee | |
Comment 6•9 years ago
|
||
|
||
Comment 9•9 years ago
|
||
This shouldn't be blocking ASanization. Just have the Makefiles compile SQLite w/o ASan
|
|
Assignee | |
Comment 10•9 years ago
|
||
If I'm going to make NSS-local changes to work around this, I'd rather just apply the minimal patch that makes SQLite stop misusing memcmp(). But updating SQLite shouldn't be that hard....
|
|
Assignee | |
Comment 11•9 years ago
|
||
Kai, any ideas on how to get this landed? (The attached Hg bundle doesn't need to be used, if copying the sqlite3.[hc] files directly from https://sqlite.org/2016/sqlite-amalgamation-3100200.zip would be easier.)
Flags: needinfo?(kaie)
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8701666 -
Attachment is obsolete: true
|
||
Comment 12•9 years ago
|
||
(In reply to Jed Davis [:jld] from comment #10)
> If I'm going to make NSS-local changes to work around this, I'd rather just
> apply the minimal patch that makes SQLite stop misusing memcmp(). But
> updating SQLite shouldn't be that hard....
It might not be hard, but it is a bigger change than just the minimal one. Could we do the minimal change now to unblock ASan builds, and then file a follow-up (if needed) to undo it as part of updating SQLite later?
|
||
Comment 13•9 years ago
|
||
I've asked for objections.
If nobody raises objections, I could land it wednesday next week.
(keeping needinfo to help me tracking it)
|
|
||
Comment 14•9 years ago
|
||
ok, landed already, as there was support for landing without waiting.
https://hg.mozilla.org/projects/nss/rev/49370f8de30a
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(kaie)
Resolution: --- → FIXED
Summary: Upgrade NSS's SQLite to at least 3.7.16 → Upgrade NSS's SQLite to 3.10.2
Target Milestone: --- → 3.23
|
|
||
Comment 15•9 years ago
|
||
I've tagged NSS_3_23_BETA3 which includes this change.
I've started a try run at
https://treeherder.mozilla.org/#/jobs?repo=try&revision=ed41f198c6f8
If it works, we can land that into mozilla-inbound as part of bug 1245053.
|
|
||
Comment 16•9 years ago
|
||
There was an issue with the previously mentioned NSS snapshot.
Newer try run of NSS revision ccaddca3b86b running at
https://treeherder.mozilla.org/#/jobs?repo=try&revision=dbe020fb98f8
|
|
||
Comment 17•9 years ago
|
||
FYI, successfully landed as part of NSS_3_23_BETA4 a few days ago.
You need to log in
before you can comment on or make changes to this bug.
Description
•