1 /* 2 ** 2018-10-26 3 ** 4 ** The author disclaims copyright to this source code. In place of 5 ** a legal notice, here is a blessing: 6 ** 7 ** May you do good and not evil. 8 ** May you find forgiveness for yourself and forgive others. 9 ** May you share freely, never taking more than you give. 10 ** 11 ************************************************************************* 12 ** 13 ** This program is designed for fuzz-testing SQLite database files using 14 ** the -fsanitize=fuzzer option of clang. 15 ** 16 ** The -fsanitize=fuzzer option causes a main() to be inserted automatically. 17 ** That main() invokes LLVMFuzzerTestOneInput(D,S) to be invoked repeatedly. 18 ** Each D is a fuzzed database file. The code in this file runs various 19 ** SQL statements against that database, trying to provoke a failure. 20 ** 21 ** For best results the seed database files should have these tables: 22 ** 23 ** Table "t1" with columns "a" and "b" 24 ** Tables "t2" and "t3 with the same number of compatible columns 25 ** "t3" should have a column names "x" 26 ** Table "t4" with a column "x" that is compatible with t3.x. 27 ** 28 ** Any of these tables can be virtual tables, for example FTS or RTree tables. 29 ** 30 ** To run this test: 31 ** 32 ** mkdir dir 33 ** cp dbfuzz2-seed*.db dir 34 ** clang-6.0 -I. -g -O1 -fsanitize=fuzzer \ 35 ** -DTHREADSAFE=0 -DSQLITE_ENABLE_DESERIALIZE \ 36 ** -DSQLITE_ENABLE_DBSTAT_VTAB dbfuzz2.c sqlite3.c -ldl 37 ** ./a.out dir 38 */ 39 #include <assert.h> 40 #include <stdio.h> 41 #include <stdlib.h> 42 #include <string.h> 43 #include <stdarg.h> 44 #include <ctype.h> 45 #include <stdint.h> 46 #include <sys/time.h> 47 #include <sys/resource.h> 48 #include "sqlite3.h" 49 50 /* 51 ** This is the is the SQL that is run against the database. 52 */ 53 static const char *azSql[] = { 54 "PRAGMA integrity_check;", 55 "SELECT * FROM sqlite_master;", 56 "SELECT sum(length(name)) FROM dbstat;", 57 "UPDATE t1 SET b=a, a=b WHERE a<b;", 58 "ALTER TABLE t1 RENAME TO alkjalkjdfiiiwuer987lkjwer82mx97sf98788s9789s;", 59 "INSERT INTO t3 SELECT * FROM t2;", 60 "DELETE FROM t3 WHERE x IN (SELECT x FROM t4);", 61 "REINDEX;", 62 "DROP TABLE t3;", 63 "VACUUM;", 64 }; 65 66 /* Output verbosity level. 0 means complete silence */ 67 int eVerbosity = 0; 68 69 /* True to activate PRAGMA vdbe_debug=on */ 70 static int bVdbeDebug = 0; 71 72 /* Maximum size of the in-memory database file */ 73 static sqlite3_int64 szMax = 104857600; 74 75 /***** Copy/paste from ext/misc/memtrace.c ***************************/ 76 /* The original memory allocation routines */ 77 static sqlite3_mem_methods memtraceBase; 78 static FILE *memtraceOut; 79 80 /* Methods that trace memory allocations */ 81 static void *memtraceMalloc(int n){ 82 if( memtraceOut ){ 83 fprintf(memtraceOut, "MEMTRACE: allocate %d bytes\n", 84 memtraceBase.xRoundup(n)); 85 } 86 return memtraceBase.xMalloc(n); 87 } 88 static void memtraceFree(void *p){ 89 if( p==0 ) return; 90 if( memtraceOut ){ 91 fprintf(memtraceOut, "MEMTRACE: free %d bytes\n", memtraceBase.xSize(p)); 92 } 93 memtraceBase.xFree(p); 94 } 95 static void *memtraceRealloc(void *p, int n){ 96 if( p==0 ) return memtraceMalloc(n); 97 if( n==0 ){ 98 memtraceFree(p); 99 return 0; 100 } 101 if( memtraceOut ){ 102 fprintf(memtraceOut, "MEMTRACE: resize %d -> %d bytes\n", 103 memtraceBase.xSize(p), memtraceBase.xRoundup(n)); 104 } 105 return memtraceBase.xRealloc(p, n); 106 } 107 static int memtraceSize(void *p){ 108 return memtraceBase.xSize(p); 109 } 110 static int memtraceRoundup(int n){ 111 return memtraceBase.xRoundup(n); 112 } 113 static int memtraceInit(void *p){ 114 return memtraceBase.xInit(p); 115 } 116 static void memtraceShutdown(void *p){ 117 memtraceBase.xShutdown(p); 118 } 119 120 /* The substitute memory allocator */ 121 static sqlite3_mem_methods ersaztMethods = { 122 memtraceMalloc, 123 memtraceFree, 124 memtraceRealloc, 125 memtraceSize, 126 memtraceRoundup, 127 memtraceInit, 128 memtraceShutdown 129 }; 130 131 /* Begin tracing memory allocations to out. */ 132 int sqlite3MemTraceActivate(FILE *out){ 133 int rc = SQLITE_OK; 134 if( memtraceBase.xMalloc==0 ){ 135 rc = sqlite3_config(SQLITE_CONFIG_GETMALLOC, &memtraceBase); 136 if( rc==SQLITE_OK ){ 137 rc = sqlite3_config(SQLITE_CONFIG_MALLOC, &ersaztMethods); 138 } 139 } 140 memtraceOut = out; 141 return rc; 142 } 143 144 /* Deactivate memory tracing */ 145 int sqlite3MemTraceDeactivate(void){ 146 int rc = SQLITE_OK; 147 if( memtraceBase.xMalloc!=0 ){ 148 rc = sqlite3_config(SQLITE_CONFIG_MALLOC, &memtraceBase); 149 if( rc==SQLITE_OK ){ 150 memset(&memtraceBase, 0, sizeof(memtraceBase)); 151 } 152 } 153 memtraceOut = 0; 154 return rc; 155 } 156 /***** End copy/paste from ext/misc/memtrace.c ***************************/ 157 158 /* libFuzzer invokes this routine with fuzzed database files (in aData). 159 ** This routine run SQLite against the malformed database to see if it 160 ** can provoke a failure or malfunction. 161 */ 162 int LLVMFuzzerTestOneInput(const uint8_t *aData, size_t nByte){ 163 unsigned char *a; 164 sqlite3 *db; 165 int rc; 166 int i; 167 sqlite3_int64 x; 168 char *zErr = 0; 169 170 if( eVerbosity>=1 ){ 171 printf("************** nByte=%d ***************\n", (int)nByte); 172 fflush(stdout); 173 } 174 if( sqlite3_initialize() ) return 0; 175 rc = sqlite3_open(0, &db); 176 if( rc ) return 1; 177 a = sqlite3_malloc64(nByte+1); 178 if( a==0 ) return 1; 179 memcpy(a, aData, nByte); 180 sqlite3_deserialize(db, "main", a, nByte, nByte, 181 SQLITE_DESERIALIZE_RESIZEABLE | 182 SQLITE_DESERIALIZE_FREEONCLOSE); 183 x = szMax; 184 sqlite3_file_control(db, "main", SQLITE_FCNTL_SIZE_LIMIT, &x); 185 if( bVdbeDebug ){ 186 sqlite3_exec(db, "PRAGMA vdbe_debug=ON", 0, 0, 0); 187 } 188 for(i=0; i<sizeof(azSql)/sizeof(azSql[0]); i++){ 189 if( eVerbosity>=1 ){ 190 printf("%s\n", azSql[i]); 191 fflush(stdout); 192 } 193 zErr = 0; 194 rc = sqlite3_exec(db, azSql[i], 0, 0, &zErr); 195 if( rc && eVerbosity>=1 ){ 196 printf("-- rc=%d zErr=%s\n", rc, zErr); 197 } 198 sqlite3_free(zErr); 199 } 200 rc = sqlite3_close(db); 201 if( rc!=SQLITE_OK ){ 202 fprintf(stdout, "sqlite3_close() returns %d\n", rc); 203 } 204 if( sqlite3_memory_used()!=0 ){ 205 int nAlloc = 0; 206 int nNotUsed = 0; 207 sqlite3_status(SQLITE_STATUS_MALLOC_COUNT, &nAlloc, &nNotUsed, 0); 208 fprintf(stderr,"Memory leak: %lld bytes in %d allocations\n", 209 sqlite3_memory_used(), nAlloc); 210 exit(1); 211 } 212 return 0; 213 } 214 215 /* 216 ** Return the number of "v" characters in a string. Return 0 if there 217 ** are any characters in the string other than "v". 218 */ 219 static int numberOfVChar(const char *z){ 220 int N = 0; 221 while( z[0] && z[0]=='v' ){ 222 z++; 223 N++; 224 } 225 return z[0]==0 ? N : 0; 226 } 227 228 /* libFuzzer invokes this routine once when the executable starts, to 229 ** process the command-line arguments. 230 */ 231 int LLVMFuzzerInitialize(int *pArgc, char ***pArgv){ 232 int i, j, n; 233 int argc = *pArgc; 234 char **argv = *pArgv; 235 for(i=j=1; i<argc; i++){ 236 char *z = argv[i]; 237 if( z[0]=='-' ){ 238 z++; 239 if( z[0]=='-' ) z++; 240 if( z[0]=='v' && (n = numberOfVChar(z))>0 ){ 241 eVerbosity += n; 242 continue; 243 } 244 if( strcmp(z,"vdbe-debug")==0 ){ 245 bVdbeDebug = 1; 246 continue; 247 } 248 if( strcmp(z,"memtrace")==0 ){ 249 sqlite3MemTraceActivate(stdout); 250 continue; 251 } 252 if( strcmp(z,"mem")==0 ){ 253 bVdbeDebug = 1; 254 continue; 255 } 256 if( strcmp(z,"max-db-size")==0 ){ 257 if( i+1==argc ){ 258 fprintf(stderr, "missing argument to %s\n", argv[i]); 259 exit(1); 260 } 261 szMax = strtol(argv[++i], 0, 0); 262 continue; 263 } 264 if( strcmp(z,"max-stack")==0 265 || strcmp(z,"max-data")==0 266 || strcmp(z,"max-as")==0 267 ){ 268 struct rlimit x,y; 269 int resource = RLIMIT_STACK; 270 char *zType = "RLIMIT_STACK"; 271 if( i+1==argc ){ 272 fprintf(stderr, "missing argument to %s\n", argv[i]); 273 exit(1); 274 } 275 if( z[4]=='d' ){ 276 resource = RLIMIT_DATA; 277 zType = "RLIMIT_DATA"; 278 } 279 if( z[4]=='a' ){ 280 resource = RLIMIT_AS; 281 zType = "RLIMIT_AS"; 282 } 283 memset(&x,0,sizeof(x)); 284 getrlimit(resource, &x); 285 y.rlim_cur = atoi(argv[++i]); 286 y.rlim_max = x.rlim_cur; 287 setrlimit(resource, &y); 288 memset(&y,0,sizeof(y)); 289 getrlimit(resource, &y); 290 printf("%s changed from %d to %d\n", 291 zType, (int)x.rlim_cur, (int)y.rlim_cur); 292 continue; 293 } 294 } 295 argv[j++] = argv[i]; 296 } 297 argv[j] = 0; 298 *pArgc = j; 299 return 0; 300 } 301 302 #ifdef STANDALONE 303 /* 304 ** Read an entire file into memory. Space to hold the file comes 305 ** from malloc(). 306 */ 307 static unsigned char *readFile(const char *zName, int *pnByte){ 308 FILE *in = fopen(zName, "rb"); 309 long nIn; 310 size_t nRead; 311 unsigned char *pBuf; 312 if( in==0 ) return 0; 313 fseek(in, 0, SEEK_END); 314 nIn = ftell(in); 315 rewind(in); 316 pBuf = malloc( nIn+1 ); 317 if( pBuf==0 ){ fclose(in); return 0; } 318 nRead = fread(pBuf, nIn, 1, in); 319 fclose(in); 320 if( nRead!=1 ){ 321 free(pBuf); 322 return 0; 323 } 324 pBuf[nIn] = 0; 325 if( pnByte ) *pnByte = nIn; 326 return pBuf; 327 } 328 #endif /* STANDALONE */ 329 330 #ifdef STANDALONE 331 int main(int argc, char **argv){ 332 int i; 333 LLVMFuzzerInitialize(&argc, &argv); 334 for(i=1; i<argc; i++){ 335 unsigned char *pIn; 336 int nIn; 337 pIn = readFile(argv[i], &nIn); 338 if( pIn ){ 339 LLVMFuzzerTestOneInput((const uint8_t*)pIn, (size_t)nIn); 340 free(pIn); 341 } 342 } 343 if( eVerbosity>0 ){ 344 struct rusage x; 345 printf("SQLite %s\n", sqlite3_sourceid()); 346 memset(&x, 0, sizeof(x)); 347 if( getrusage(RUSAGE_SELF, &x)==0 ){ 348 printf("Maximum RSS = %ld KB\n", x.ru_maxrss); 349 } 350 } 351 return 0; 352 } 353 #endif /*STANDALONE*/ 354