Closed Bug 853091 Opened 11 years ago Closed 6 years ago

invalid reads in sqlite3 reported by ASAN

Categories

(Toolkit :: Storage, defect)

Product:
Toolkit
Component:
Storage
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: joe, Unassigned)

References

(
URL
)

Details

Compile Firefox with ASAN. Try to start it. It will crash immediately because of invalid reads inside sqlite3; in this case, it's in the memcmp() at sqlite3.c:27640, which compares pVfs->zName with "unix-excl". The pVfs->zName, though, is just "unix". 

There are other problems too, but I need ASAN to work so I've just turned it off on *sqlite3* functions.
I don't think this actually is a security problem... The contents of the memory beyond the '\0' will not matter in the final result of the comparison (since 0 is still less than everything in the reference string) so there's no risk of malicious code somehow altering the behavior of sqlite.

I don't know why  memcmp is used here, maybe there were performance concerns? A simple (and, admittedly, naive) fix here would be to use strncmp. That would bail out when it hit the '\0' and should prevent the ASAN warning.

CC'ing the head SQLite developer to make sure this is known and to get his thoughts on the above.
This is already being tracked in the Chromium bugtracker and shouldn't be a security problem:

http://code.google.com/p/chromium/issues/detail?id=178677
URL: http://code.google.com/p/chromium/iss...
I do not think this is a real issue, or if it is it is exceedingly obscure.  Nevertheless, we have changed several memcpy() calls to strncmp() or strcmp().  This occurred a few weeks ago and is in the 3.7.16 release of SQlite.  See http://www.sqlite.org/src/info/d73435587b for the specific change.

The problem is (I am told) that optimized versions of memcmp() will not necessarily stop at the first byte difference, and hence might read past the end of a buffer.  strcmp() and strncmp(), on the other hand, are guaranteed to stop reading at the first byte difference.
Thanks! We have a bug open to upgrade our in-tree SQLite to 3.7.16 already (bug 853266). Shall we dup to that?
I may review the patch for the new version of SQLite on next Monday
Ok. In the meantime I don't see any reason to keep this bug hidden.
Agreed, this is already public in the Chromium Tracker.
Group: core-security
Is this still an issue after we upgraded to SQLite 3.7.16.1?
fwiw now we are about to upgrade to 3.7.17 in bug 874171.
Depends on: SQLite3.7.16.1
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.