Submit #554574: UnQLite mater Heap-based Buffer Overflowinfo

TitelUnQLite mater Heap-based Buffer Overflow
BeschreibungHi, We found a heap buffer overflow using a new concolic execution tool. Please check the below and the attached file for reproduction. ``` $cd build/example $./unqlitec input.sql ================================================================= ==19425==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000001c5c at pc 0x555555796fad bp 0x7fffffffc3c0 sp 0x7fffffffc3b0 READ of size 4 at 0x61b000001c5c thread T0 #0 0x555555796fac in jx9MemObjStore /data/src/benchmarks/unqlite/unqlite.c:31737 #1 0x5555557d4504 in VmByteCodeExec /data/src/benchmarks/unqlite/unqlite.c:43880 #2 0x5555557e00d1 in jx9VmByteCodeExec /data/src/benchmarks/unqlite/unqlite.c:45623 #3 0x5555556f4d2e in unqlite_vm_exec /data/src/benchmarks/unqlite/unqlite.c:4572 #4 0x5555556f0821 in execute_sql_commands /data/src/benchmarks/unqlite/example/unqlite.c:72 #5 0x5555556f0ee0 in main /data/src/benchmarks/unqlite/example/unqlite.c:101 #6 0x7ffff6e22c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #7 0x5555555f1a19 in _start (/data/src/benchmarks/unqlite/build-gcov/example/unqlitec+0x9da19) 0x61b000001c5c is located 36 bytes to the left of 1428-byte region [0x61b000001c80,0x61b000002214) allocated by thread T0 here: #0 0x5555556af7f0 in malloc (/data/src/benchmarks/unqlite/build-gcov/example/unqlitec+0x15b7f0) #1 0x555555773d96 in SyOSHeapAlloc /data/src/benchmarks/unqlite/unqlite.c:26911 #2 0x555555777366 in MemOSAlloc /data/src/benchmarks/unqlite/unqlite.c:27100 #3 0x55555577763b in MemBackendAlloc /data/src/benchmarks/unqlite/unqlite.c:27154 #4 0x5555557779fd in SyMemBackendAlloc /data/src/benchmarks/unqlite/unqlite.c:27184 #5 0x5555557cb0c9 in VmNewOperandStack /data/src/benchmarks/unqlite/unqlite.c:42476 #6 0x5555557cb342 in jx9VmMakeReady /data/src/benchmarks/unqlite/unqlite.c:42516 #7 0x5555557016b2 in ProcessScript /data/src/benchmarks/unqlite/unqlite.c:7557 #8 0x555555701b66 in jx9_compile /data/src/benchmarks/unqlite/unqlite.c:7615 #9 0x5555556f454d in unqlite_compile /data/src/benchmarks/unqlite/unqlite.c:4466 #10 0x5555556f0471 in execute_sql_commands /data/src/benchmarks/unqlite/example/unqlite.c:51 #11 0x5555556f0ee0 in main /data/src/benchmarks/unqlite/example/unqlite.c:101 #12 0x7ffff6e22c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/benchmarks/unqlite/unqlite.c:31737 in jx9MemObjStore Shadow bytes around the buggy address: 0x0c367fff8330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c367fff8340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c367fff8350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c367fff8360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c367fff8370: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c367fff8380: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa 0x0c367fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff83b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff83c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==19425==ABORTING ``` Building instruction `cmake -DCMAKE_C_COMPILER=gcc -DCMAKE_C_FLAGS="-g -fsanitize=address" ..` GCC version `gcc-7.5.0` OS: `x86_64 ubuntu 18.04` Git version of unqlite `957c377cb691a4f617db9aba5cc46d90425071e2` (master) Reproducible files [unqlite-reproduce-heap-overflow.zip](https://github.com/user-attachments/files/19652580/unqlite-reproduce-heap-overflow.zip) Best regards, Hx
Quelle⚠️ https://github.com/symisc/unqlite/issues/173
Benutzer
 Haoxin Tu (UID 81718)
Einreichung09.04.2025 03:53 (vor 1 Jahr)
Moderieren18.04.2025 04:49 (9 days later)
StatusAkzeptiert
VulDB Eintrag305614 [symisc UnQLite bis 957c377cb691a4f617db9aba5cc46d90425071e2 unqlite.c jx9MemObjStore Pufferüberlauf]
Punkte20

ZurückÜbersichtWeiter

Do you know our Splunk app?

Download it now for free!