Fix a possible UAF in SEH if an exception occurs at an inopportune moment
during WAL processing. FossilOrigin-Name: 91b91037e348fa10cf6a9d8a0ffbfdebb4a40e0e336b65b112ed1c828e75cda7
This commit is contained in:
parent
936f7deee4
commit
36a9f5c24c
12
manifest
12
manifest
@ -1,5 +1,5 @@
|
||||
C Refinements\sto\sinstructions\son\scompiling\sfor\sWindows.
|
||||
D 2023-08-16T17:23:42.222
|
||||
C Fix\sa\spossible\sUAF\sin\sSEH\sif\san\sexception\soccurs\sat\san\sinopportune\smoment\nduring\sWAL\sprocessing.
|
||||
D 2023-08-17T14:19:44.072
|
||||
F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
|
||||
F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
|
||||
F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
|
||||
@ -766,7 +766,7 @@ F src/vdbetrace.c fe0bc29ebd4e02c8bc5c1945f1d2e6be5927ec12c06d89b03ef2a4def34bf8
|
||||
F src/vdbevtab.c 57fa8f56478e5b5cb558cb425e7878515e0a105c54f96f1d1bbf4b9433529254
|
||||
F src/vtab.c 1ecf8c3745d29275688d583e12822fa984d421e0286b5ef50c137bc3bf6d7a64
|
||||
F src/vxworks.h d2988f4e5a61a4dfe82c6524dd3d6e4f2ce3cdb9
|
||||
F src/wal.c 3b068bc1db5d42d72b940c377b6fdb0e6d41bc106c5e99bfc40bbbe973e5f3e2
|
||||
F src/wal.c 01e051a1e713d9eabdb25df38602837cec8f4c2cae448ce2cf6accc87af903e9
|
||||
F src/wal.h 04a9e53121d5076f2a173b0f2facb39d33047093fee71bd3bbe6b1f6f1f5fd4b
|
||||
F src/walker.c 7c7ea0115345851c3da4e04e2e239a29983b61fb5b038b94eede6aba462640e2
|
||||
F src/where.c b8917792f1e0dbfa28fb29e6cd3d560060d69667be0ba4c491cbc772363264f5
|
||||
@ -2092,8 +2092,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
|
||||
F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
|
||||
F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
|
||||
F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
|
||||
P 0f6b2b33736ee07f17f3a4e5f077bb4d0e2481c8f81251b8ce6b78510f372237
|
||||
R 6b56e789e5267410fdb3971aefa50798
|
||||
P d543c36c35f71c5f0a7ebf6f496feca40d16566d0c5b2c2ba205ff43437ffcd1
|
||||
R f8ce2e24212ad2fa8332322fc5005324
|
||||
U drh
|
||||
Z 6657d0ca5d125a89c7fdb5a9a6cb9ceb
|
||||
Z 3120c029fcad27eadc95da2816eed4db
|
||||
# Remove this line to create a well-formed Fossil manifest.
|
||||
|
@ -1 +1 @@
|
||||
d543c36c35f71c5f0a7ebf6f496feca40d16566d0c5b2c2ba205ff43437ffcd1
|
||||
91b91037e348fa10cf6a9d8a0ffbfdebb4a40e0e336b65b112ed1c828e75cda7
|
25
src/wal.c
25
src/wal.c
@ -531,6 +531,8 @@ struct Wal {
|
||||
#ifdef SQLITE_USE_SEH
|
||||
u32 lockMask; /* Mask of locks held */
|
||||
void *pFree; /* Pointer to sqlite3_free() if exception thrown */
|
||||
u32 *pWiValue; /* Value to write into apWiData[iWiPg] */
|
||||
int iWiPg; /* Write pWiValue into apWiData[iWiPg] */
|
||||
int iSysErrno; /* System error code following exception */
|
||||
#endif
|
||||
#ifdef SQLITE_DEBUG
|
||||
@ -702,11 +704,24 @@ static void sehInjectFault(Wal *pWal){
|
||||
#define SEH_FREE_ON_ERROR(X,Y) \
|
||||
assert( (X==0 || Y==0) && pWal->pFree==X ); pWal->pFree = Y
|
||||
|
||||
/*
|
||||
** There are two ways to use this macro. To arrange for pWal->apWiData[iPg]
|
||||
** to be set to pValue if an exception is thrown:
|
||||
**
|
||||
** SEH_SET_ON_ERROR(iPg, pValue);
|
||||
**
|
||||
** and to cancel the same:
|
||||
**
|
||||
** SEH_SET_ON_ERROR(0, 0);
|
||||
*/
|
||||
#define SEH_SET_ON_ERROR(X,Y) pWal->iWiPg = X; pWal->pWiValue = Y
|
||||
|
||||
#else
|
||||
# define SEH_TRY VVA_ONLY(pWal->nSehTry++);
|
||||
# define SEH_EXCEPT(X) VVA_ONLY(pWal->nSehTry--); assert( pWal->nSehTry==0 );
|
||||
# define SEH_INJECT_FAULT assert( pWal->nSehTry>0 );
|
||||
# define SEH_FREE_ON_ERROR(X,Y)
|
||||
# define SEH_SET_ON_ERROR(X,Y)
|
||||
#endif /* ifdef SQLITE_USE_SEH */
|
||||
|
||||
|
||||
@ -1467,6 +1482,7 @@ static int walIndexRecover(Wal *pWal){
|
||||
rc = walIndexPage(pWal, iPg, (volatile u32**)&aShare);
|
||||
assert( aShare!=0 || rc!=SQLITE_OK );
|
||||
if( aShare==0 ) break;
|
||||
SEH_SET_ON_ERROR(iPg, aShare);
|
||||
pWal->apWiData[iPg] = aPrivate;
|
||||
|
||||
for(iFrame=iFirst; iFrame<=iLast; iFrame++){
|
||||
@ -1494,6 +1510,7 @@ static int walIndexRecover(Wal *pWal){
|
||||
}
|
||||
}
|
||||
pWal->apWiData[iPg] = aShare;
|
||||
SEH_SET_ON_ERROR(0,0);
|
||||
nHdr = (iPg==0 ? WALINDEX_HDR_SIZE : 0);
|
||||
nHdr32 = nHdr / sizeof(u32);
|
||||
#ifndef SQLITE_SAFER_WALINDEX_RECOVERY
|
||||
@ -2387,7 +2404,9 @@ static void walLimitSize(Wal *pWal, i64 nMax){
|
||||
**
|
||||
** 2) Frees the pointer at Wal.pFree, if any, using sqlite3_free().
|
||||
**
|
||||
** 3) Returns SQLITE_IOERR.
|
||||
** 3) Set pWal->apWiData[pWal->iWiPg] to pWal->pWiValue if not NULL
|
||||
**
|
||||
** 4) Returns SQLITE_IOERR.
|
||||
*/
|
||||
static int walHandleException(Wal *pWal){
|
||||
if( pWal->exclusiveMode==0 ){
|
||||
@ -2406,6 +2425,10 @@ static int walHandleException(Wal *pWal){
|
||||
}
|
||||
sqlite3_free(pWal->pFree);
|
||||
pWal->pFree = 0;
|
||||
if( pWal->pWiValue ){
|
||||
pWal->apWiData[pWal->iWiPg] = pWal->pWiValue;
|
||||
pWal->pWiValue = 0;
|
||||
}
|
||||
return SQLITE_IOERR_IN_PAGE;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user