Skip to content

Navigation Menu

Sign in
Appearance settings
tarantool

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

@tarantool Tarantool

Discussion options

fullwaywang
Jul 5, 2023

Hi there. I am a researcher in security and vulnerabilities. Recently I have been studying CVEs in OSS and their existence in downstream projects.

While modeling CVEs in sqlite3 and searching for vulnerable, cognate code across GitHub, I found this project. The codes in src/box/sql/ turned out to be a copy of sqlite3 with the baseline version from which it forked unknown. However, the legal announcements within the code files had been replaced, and symbols like function names had been carefully modified. Many individual modifications had been made on this codebase, which made it hard to map the modified functions to the original.

After some manual examination, I found out some CVEs which had been fixed in upstream sqlite3 did exist in tarantool, judging from vulnerable code contexts. For example, a patch fixing CVE-2020-13435 is commit 0934d64 in function sqlite3ExprCodeTarget:

diff --git a/src/expr.c b/src/expr.c
index 83dd8b1ab..c5b678387 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -3811,7 +3811,10 @@ expr_code_doover:
   switch( op ){
     case TK_AGG_COLUMN: {
       AggInfo *pAggInfo = pExpr->pAggInfo;
-      struct AggInfo_col *pCol = &pAggInfo->aCol[pExpr->iAgg];
+      struct AggInfo_col *pCol;
+      assert( pAggInfo!=0 );
+      assert( pExpr->iAgg>=0 && pExpr->iAgg<pAggInfo->nColumn );
+      pCol = &pAggInfo->aCol[pExpr->iAgg];
       if( !pAggInfo->directMode ){
         assert( pCol->iMem>0 );
         return pCol->iMem;
@@ -4111,7 +4114,10 @@ expr_code_doover:
     }
     case TK_AGG_FUNCTION: {
       AggInfo *pInfo = pExpr->pAggInfo;
-      if( pInfo==0 ){
+      if( pInfo==0
+       || NEVER(pExpr->iAgg<0)
+       || NEVER(pExpr->iAgg>=pInfo->nFunc)
+      ){
         assert( !ExprHasProperty(pExpr, EP_IntValue) );
         sqlite3ErrorMsg(pParse, "misuse of aggregate: %s()", pExpr->u.zToken);
       }else{

Which is apparently a patch against out-of-bound accessing of array. Examining the context in function sqlExprCodeTarget I got:

    switch (op) {
    case TK_AGG_COLUMN:{
            AggInfo *pAggInfo = pExpr->pAggInfo;
            struct AggInfo_col *pCol = &pAggInfo->aCol[pExpr->iAgg];
            if (!pAggInfo->directMode) {
                assert(pCol->iMem > 0);
                return pCol->iMem;

Though the context differed, the defect made sense anyway.

Honestly speaking I am totally unfamiliar with this project, and the role of the codes in src/box/sql/ is not clear to me. Would you make some investigation into the existence and exploitability of sqlite3 vulnerabilities, and probably merge upstream patches or switch to the upstream codes in the future?
You must be logged in to vote

Replies: 0 comments

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
1 participant
@fullwaywang
Morty Proxy This is a proxified and sanitized view of the page, visit original site.