1 /* 2 ** 2018-10-26 3 ** 4 ** The author disclaims copyright to this source code. In place of 5 ** a legal notice, here is a blessing: 6 ** 7 ** May you do good and not evil. 8 ** May you find forgiveness for yourself and forgive others. 9 ** May you share freely, never taking more than you give. 10 ** 11 ************************************************************************* 12 ** 13 ** This program is designed for fuzz-testing SQLite database files using 14 ** the -fsanitize=fuzzer option of clang. 15 ** 16 ** The -fsanitize=fuzzer option causes a main() to be inserted automatically. 17 ** That main() invokes LLVMFuzzerTestOneInput(D,S) to be invoked repeatedly. 18 ** Each D is a fuzzed database file. The code in this file runs various 19 ** SQL statements against that database, trying to provoke a failure. 20 ** 21 ** For best results the seed database files should have these tables: 22 ** 23 ** Table "t1" with columns "a" and "b" 24 ** Tables "t2" and "t3 with the same number of compatible columns 25 ** "t3" should have a column names "x" 26 ** Table "t4" with a column "x" that is compatible with t3.x. 27 ** 28 ** Any of these tables can be virtual tables, for example FTS or RTree tables. 29 ** 30 ** To run this test: 31 ** 32 ** mkdir dir 33 ** cp dbfuzz2-seed*.db dir 34 ** clang-6.0 -I. -g -O1 -fsanitize=fuzzer \ 35 ** -DTHREADSAFE=0 -DSQLITE_ENABLE_DESERIALIZE \ 36 ** -DSQLITE_ENABLE_DBSTAT_VTAB dbfuzz2.c sqlite3.c -ldl 37 ** ./a.out dir 38 */ 39 #include <assert.h> 40 #include <stdio.h> 41 #include <stdlib.h> 42 #include <string.h> 43 #include <stdarg.h> 44 #include <ctype.h> 45 #include <stdint.h> 46 #include "sqlite3.h" 47 48 /* 49 ** This is the is the SQL that is run against the database. 50 */ 51 static const char *azSql[] = { 52 "PRAGMA integrity_check;", 53 "SELECT * FROM sqlite_master;", 54 "SELECT sum(length(name)) FROM dbstat;", 55 "UPDATE t1 SET b=a, a=b WHERE a<b;", 56 "ALTER TABLE t1 RENAME TO alkjalkjdfiiiwuer987lkjwer82mx97sf98788s9789s;", 57 "INSERT INTO t3 SELECT * FROM t2;", 58 "DELETE FROM t3 WHERE x IN (SELECT x FROM t4);", 59 "REINDEX;", 60 "DROP TABLE t3;", 61 "VACUUM;", 62 }; 63 64 /* Output verbosity level. 0 means complete silence */ 65 int eVerbosity = 0; 66 67 /* True to activate PRAGMA vdbe_debug=on */ 68 static int bVdbeDebug = 0; 69 70 /* libFuzzer invokes this routine with fuzzed database files (in aData). 71 ** This routine run SQLite against the malformed database to see if it 72 ** can provoke a failure or malfunction. 73 */ 74 int LLVMFuzzerTestOneInput(const uint8_t *aData, size_t nByte){ 75 unsigned char *a; 76 sqlite3 *db; 77 int rc; 78 int i; 79 80 if( eVerbosity>=1 ){ 81 printf("************** nByte=%d ***************\n", (int)nByte); 82 fflush(stdout); 83 } 84 if( sqlite3_initialize() ) return 0; 85 rc = sqlite3_open(0, &db); 86 if( rc ) return 1; 87 a = sqlite3_malloc64(nByte+1); 88 if( a==0 ) return 1; 89 memcpy(a, aData, nByte); 90 sqlite3_deserialize(db, "main", a, nByte, nByte, 91 SQLITE_DESERIALIZE_RESIZEABLE | 92 SQLITE_DESERIALIZE_FREEONCLOSE); 93 if( bVdbeDebug ){ 94 sqlite3_exec(db, "PRAGMA vdbe_debug=ON", 0, 0, 0); 95 } 96 for(i=0; i<sizeof(azSql)/sizeof(azSql[0]); i++){ 97 if( eVerbosity>=1 ){ 98 printf("%s\n", azSql[i]); 99 fflush(stdout); 100 } 101 sqlite3_exec(db, azSql[i], 0, 0, 0); 102 } 103 rc = sqlite3_close(db); 104 if( rc!=SQLITE_OK ){ 105 fprintf(stdout, "sqlite3_close() returns %d\n", rc); 106 } 107 if( sqlite3_memory_used()!=0 ){ 108 int nAlloc = 0; 109 int nNotUsed = 0; 110 sqlite3_status(SQLITE_STATUS_MALLOC_COUNT, &nAlloc, &nNotUsed, 0); 111 fprintf(stderr,"Memory leak: %lld bytes in %d allocations\n", 112 sqlite3_memory_used(), nAlloc); 113 exit(1); 114 } 115 return 0; 116 } 117 118 /* 119 ** Return the number of "v" characters in a string. Return 0 if there 120 ** are any characters in the string other than "v". 121 */ 122 static int numberOfVChar(const char *z){ 123 int N = 0; 124 while( z[0] && z[0]=='v' ){ 125 z++; 126 N++; 127 } 128 return z[0]==0 ? N : 0; 129 } 130 131 /* libFuzzer invokes this routine once when the executable starts, to 132 ** process the command-line arguments. 133 */ 134 int LLVMFuzzerInitialize(int *pArgc, char ***pArgv){ 135 int i, j, n; 136 int argc = *pArgc; 137 char **newArgv; 138 char **argv = *pArgv; 139 newArgv = malloc( sizeof(char*)*(argc+1) ); 140 if( newArgv==0 ) return 0; 141 newArgv[0] = argv[0]; 142 for(i=j=1; i<argc; i++){ 143 char *z = argv[i]; 144 if( z[0]=='-' ){ 145 z++; 146 if( z[0]=='-' ) z++; 147 if( z[0]=='v' && (n = numberOfVChar(z))>0 ){ 148 eVerbosity += n; 149 continue; 150 } 151 if( strcmp(z,"vdbe-debug")==0 ){ 152 bVdbeDebug = 1; 153 continue; 154 } 155 } 156 newArgv[j++] = argv[i]; 157 } 158 newArgv[j] = 0; 159 *pArgv = newArgv; 160 *pArgc = j; 161 return 0; 162 } 163 164 #ifdef STANDALONE 165 /* 166 ** Read an entire file into memory. Space to hold the file comes 167 ** from malloc(). 168 */ 169 static unsigned char *readFile(const char *zName, int *pnByte){ 170 FILE *in = fopen(zName, "rb"); 171 long nIn; 172 size_t nRead; 173 unsigned char *pBuf; 174 if( in==0 ) return 0; 175 fseek(in, 0, SEEK_END); 176 nIn = ftell(in); 177 rewind(in); 178 pBuf = malloc( nIn+1 ); 179 if( pBuf==0 ){ fclose(in); return 0; } 180 nRead = fread(pBuf, nIn, 1, in); 181 fclose(in); 182 if( nRead!=1 ){ 183 free(pBuf); 184 return 0; 185 } 186 pBuf[nIn] = 0; 187 if( pnByte ) *pnByte = nIn; 188 return pBuf; 189 } 190 #endif /* STANDALONE */ 191 192 #ifdef STANDALONE 193 int main(int argc, char **argv){ 194 int i; 195 LLVMFuzzerInitialize(&argc, &argv); 196 for(i=1; i<argc; i++){ 197 unsigned char *pIn; 198 int nIn; 199 pIn = readFile(argv[i], &nIn); 200 if( pIn ){ 201 LLVMFuzzerTestOneInput((const uint8_t*)pIn, (size_t)nIn); 202 free(pIn); 203 } 204 } 205 return 0; 206 } 207 #endif /*STANDALONE*/ 208