Fix a possible UAF in SEH if an exception occurs at an inopportune moment

during WAL processing.

FossilOrigin-Name: 91b91037e348fa10cf6a9d8a0ffbfdebb4a40e0e336b65b112ed1c828e75cda7
This commit is contained in:
drh 2023-08-17 14:19:44 +00:00
parent 936f7deee4
commit 36a9f5c24c
3 changed files with 31 additions and 8 deletions

View File

@ -1,5 +1,5 @@
C Refinements\sto\sinstructions\son\scompiling\sfor\sWindows. C Fix\sa\spossible\sUAF\sin\sSEH\sif\san\sexception\soccurs\sat\san\sinopportune\smoment\nduring\sWAL\sprocessing.
D 2023-08-16T17:23:42.222 D 2023-08-17T14:19:44.072
F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@ -766,7 +766,7 @@ F src/vdbetrace.c fe0bc29ebd4e02c8bc5c1945f1d2e6be5927ec12c06d89b03ef2a4def34bf8
F src/vdbevtab.c 57fa8f56478e5b5cb558cb425e7878515e0a105c54f96f1d1bbf4b9433529254 F src/vdbevtab.c 57fa8f56478e5b5cb558cb425e7878515e0a105c54f96f1d1bbf4b9433529254
F src/vtab.c 1ecf8c3745d29275688d583e12822fa984d421e0286b5ef50c137bc3bf6d7a64 F src/vtab.c 1ecf8c3745d29275688d583e12822fa984d421e0286b5ef50c137bc3bf6d7a64
F src/vxworks.h d2988f4e5a61a4dfe82c6524dd3d6e4f2ce3cdb9 F src/vxworks.h d2988f4e5a61a4dfe82c6524dd3d6e4f2ce3cdb9
F src/wal.c 3b068bc1db5d42d72b940c377b6fdb0e6d41bc106c5e99bfc40bbbe973e5f3e2 F src/wal.c 01e051a1e713d9eabdb25df38602837cec8f4c2cae448ce2cf6accc87af903e9
F src/wal.h 04a9e53121d5076f2a173b0f2facb39d33047093fee71bd3bbe6b1f6f1f5fd4b F src/wal.h 04a9e53121d5076f2a173b0f2facb39d33047093fee71bd3bbe6b1f6f1f5fd4b
F src/walker.c 7c7ea0115345851c3da4e04e2e239a29983b61fb5b038b94eede6aba462640e2 F src/walker.c 7c7ea0115345851c3da4e04e2e239a29983b61fb5b038b94eede6aba462640e2
F src/where.c b8917792f1e0dbfa28fb29e6cd3d560060d69667be0ba4c491cbc772363264f5 F src/where.c b8917792f1e0dbfa28fb29e6cd3d560060d69667be0ba4c491cbc772363264f5
@ -2092,8 +2092,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
P 0f6b2b33736ee07f17f3a4e5f077bb4d0e2481c8f81251b8ce6b78510f372237 P d543c36c35f71c5f0a7ebf6f496feca40d16566d0c5b2c2ba205ff43437ffcd1
R 6b56e789e5267410fdb3971aefa50798 R f8ce2e24212ad2fa8332322fc5005324
U drh U drh
Z 6657d0ca5d125a89c7fdb5a9a6cb9ceb Z 3120c029fcad27eadc95da2816eed4db
# Remove this line to create a well-formed Fossil manifest. # Remove this line to create a well-formed Fossil manifest.

View File

@ -1 +1 @@
d543c36c35f71c5f0a7ebf6f496feca40d16566d0c5b2c2ba205ff43437ffcd1 91b91037e348fa10cf6a9d8a0ffbfdebb4a40e0e336b65b112ed1c828e75cda7

View File

@ -531,6 +531,8 @@ struct Wal {
#ifdef SQLITE_USE_SEH #ifdef SQLITE_USE_SEH
u32 lockMask; /* Mask of locks held */ u32 lockMask; /* Mask of locks held */
void *pFree; /* Pointer to sqlite3_free() if exception thrown */ void *pFree; /* Pointer to sqlite3_free() if exception thrown */
u32 *pWiValue; /* Value to write into apWiData[iWiPg] */
int iWiPg; /* Write pWiValue into apWiData[iWiPg] */
int iSysErrno; /* System error code following exception */ int iSysErrno; /* System error code following exception */
#endif #endif
#ifdef SQLITE_DEBUG #ifdef SQLITE_DEBUG
@ -702,11 +704,24 @@ static void sehInjectFault(Wal *pWal){
#define SEH_FREE_ON_ERROR(X,Y) \ #define SEH_FREE_ON_ERROR(X,Y) \
assert( (X==0 || Y==0) && pWal->pFree==X ); pWal->pFree = Y assert( (X==0 || Y==0) && pWal->pFree==X ); pWal->pFree = Y
/*
** There are two ways to use this macro. To arrange for pWal->apWiData[iPg]
** to be set to pValue if an exception is thrown:
**
** SEH_SET_ON_ERROR(iPg, pValue);
**
** and to cancel the same:
**
** SEH_SET_ON_ERROR(0, 0);
*/
#define SEH_SET_ON_ERROR(X,Y) pWal->iWiPg = X; pWal->pWiValue = Y
#else #else
# define SEH_TRY VVA_ONLY(pWal->nSehTry++); # define SEH_TRY VVA_ONLY(pWal->nSehTry++);
# define SEH_EXCEPT(X) VVA_ONLY(pWal->nSehTry--); assert( pWal->nSehTry==0 ); # define SEH_EXCEPT(X) VVA_ONLY(pWal->nSehTry--); assert( pWal->nSehTry==0 );
# define SEH_INJECT_FAULT assert( pWal->nSehTry>0 ); # define SEH_INJECT_FAULT assert( pWal->nSehTry>0 );
# define SEH_FREE_ON_ERROR(X,Y) # define SEH_FREE_ON_ERROR(X,Y)
# define SEH_SET_ON_ERROR(X,Y)
#endif /* ifdef SQLITE_USE_SEH */ #endif /* ifdef SQLITE_USE_SEH */
@ -1467,6 +1482,7 @@ static int walIndexRecover(Wal *pWal){
rc = walIndexPage(pWal, iPg, (volatile u32**)&aShare); rc = walIndexPage(pWal, iPg, (volatile u32**)&aShare);
assert( aShare!=0 || rc!=SQLITE_OK ); assert( aShare!=0 || rc!=SQLITE_OK );
if( aShare==0 ) break; if( aShare==0 ) break;
SEH_SET_ON_ERROR(iPg, aShare);
pWal->apWiData[iPg] = aPrivate; pWal->apWiData[iPg] = aPrivate;
for(iFrame=iFirst; iFrame<=iLast; iFrame++){ for(iFrame=iFirst; iFrame<=iLast; iFrame++){
@ -1494,6 +1510,7 @@ static int walIndexRecover(Wal *pWal){
} }
} }
pWal->apWiData[iPg] = aShare; pWal->apWiData[iPg] = aShare;
SEH_SET_ON_ERROR(0,0);
nHdr = (iPg==0 ? WALINDEX_HDR_SIZE : 0); nHdr = (iPg==0 ? WALINDEX_HDR_SIZE : 0);
nHdr32 = nHdr / sizeof(u32); nHdr32 = nHdr / sizeof(u32);
#ifndef SQLITE_SAFER_WALINDEX_RECOVERY #ifndef SQLITE_SAFER_WALINDEX_RECOVERY
@ -2387,7 +2404,9 @@ static void walLimitSize(Wal *pWal, i64 nMax){
** **
** 2) Frees the pointer at Wal.pFree, if any, using sqlite3_free(). ** 2) Frees the pointer at Wal.pFree, if any, using sqlite3_free().
** **
** 3) Returns SQLITE_IOERR. ** 3) Set pWal->apWiData[pWal->iWiPg] to pWal->pWiValue if not NULL
**
** 4) Returns SQLITE_IOERR.
*/ */
static int walHandleException(Wal *pWal){ static int walHandleException(Wal *pWal){
if( pWal->exclusiveMode==0 ){ if( pWal->exclusiveMode==0 ){
@ -2406,6 +2425,10 @@ static int walHandleException(Wal *pWal){
} }
sqlite3_free(pWal->pFree); sqlite3_free(pWal->pFree);
pWal->pFree = 0; pWal->pFree = 0;
if( pWal->pWiValue ){
pWal->apWiData[pWal->iWiPg] = pWal->pWiValue;
pWal->pWiValue = 0;
}
return SQLITE_IOERR_IN_PAGE; return SQLITE_IOERR_IN_PAGE;
} }