From: drh <>
Date: Thu, 17 Aug 2023 14:19:44 +0000 (+0000)
Subject: Fix a possible UAF in SEH if an exception occurs at an inopportune moment
X-Git-Tag: version-3.43.0~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=36a9f5c24cbdca85485eb899fd53df124d3ab895;p=thirdparty%2Fsqlite.git

Fix a possible UAF in SEH if an exception occurs at an inopportune moment
during WAL processing.

FossilOrigin-Name: 91b91037e348fa10cf6a9d8a0ffbfdebb4a40e0e336b65b112ed1c828e75cda7
---

diff --git a/manifest b/manifest
index 49c9bc8c34..07d4d8935e 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Refinements\sto\sinstructions\son\scompiling\sfor\sWindows.
-D 2023-08-16T17:23:42.222
+C Fix\sa\spossible\sUAF\sin\sSEH\sif\san\sexception\soccurs\sat\san\sinopportune\smoment\nduring\sWAL\sprocessing.
+D 2023-08-17T14:19:44.072
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -766,7 +766,7 @@ F src/vdbetrace.c fe0bc29ebd4e02c8bc5c1945f1d2e6be5927ec12c06d89b03ef2a4def34bf8
 F src/vdbevtab.c 57fa8f56478e5b5cb558cb425e7878515e0a105c54f96f1d1bbf4b9433529254
 F src/vtab.c 1ecf8c3745d29275688d583e12822fa984d421e0286b5ef50c137bc3bf6d7a64
 F src/vxworks.h d2988f4e5a61a4dfe82c6524dd3d6e4f2ce3cdb9
-F src/wal.c 3b068bc1db5d42d72b940c377b6fdb0e6d41bc106c5e99bfc40bbbe973e5f3e2
+F src/wal.c 01e051a1e713d9eabdb25df38602837cec8f4c2cae448ce2cf6accc87af903e9
 F src/wal.h 04a9e53121d5076f2a173b0f2facb39d33047093fee71bd3bbe6b1f6f1f5fd4b
 F src/walker.c 7c7ea0115345851c3da4e04e2e239a29983b61fb5b038b94eede6aba462640e2
 F src/where.c b8917792f1e0dbfa28fb29e6cd3d560060d69667be0ba4c491cbc772363264f5
@@ -2092,8 +2092,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 0f6b2b33736ee07f17f3a4e5f077bb4d0e2481c8f81251b8ce6b78510f372237
-R 6b56e789e5267410fdb3971aefa50798
+P d543c36c35f71c5f0a7ebf6f496feca40d16566d0c5b2c2ba205ff43437ffcd1
+R f8ce2e24212ad2fa8332322fc5005324
 U drh
-Z 6657d0ca5d125a89c7fdb5a9a6cb9ceb
+Z 3120c029fcad27eadc95da2816eed4db
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index e30cdd08fc..ab0264d1a6 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-d543c36c35f71c5f0a7ebf6f496feca40d16566d0c5b2c2ba205ff43437ffcd1
\ No newline at end of file
+91b91037e348fa10cf6a9d8a0ffbfdebb4a40e0e336b65b112ed1c828e75cda7
\ No newline at end of file
diff --git a/src/wal.c b/src/wal.c
index 4ee5d80f79..d63c13ffc4 100644
--- a/src/wal.c
+++ b/src/wal.c
@@ -531,6 +531,8 @@ struct Wal {
 #ifdef SQLITE_USE_SEH
   u32 lockMask;              /* Mask of locks held */
   void *pFree;               /* Pointer to sqlite3_free() if exception thrown */
+  u32 *pWiValue;             /* Value to write into apWiData[iWiPg] */
+  int iWiPg;                 /* Write pWiValue into apWiData[iWiPg] */
   int iSysErrno;             /* System error code following exception */
 #endif
 #ifdef SQLITE_DEBUG
@@ -702,11 +704,24 @@ static void sehInjectFault(Wal *pWal){
 #define SEH_FREE_ON_ERROR(X,Y) \
   assert( (X==0 || Y==0) && pWal->pFree==X ); pWal->pFree = Y
 
+/*
+** There are two ways to use this macro. To arrange for pWal->apWiData[iPg]
+** to be set to pValue if an exception is thrown:
+**
+**   SEH_SET_ON_ERROR(iPg, pValue);
+**
+** and to cancel the same:
+**
+**   SEH_SET_ON_ERROR(0, 0);
+*/
+#define SEH_SET_ON_ERROR(X,Y)  pWal->iWiPg = X; pWal->pWiValue = Y
+
 #else
 # define SEH_TRY          VVA_ONLY(pWal->nSehTry++);
 # define SEH_EXCEPT(X)    VVA_ONLY(pWal->nSehTry--); assert( pWal->nSehTry==0 );
 # define SEH_INJECT_FAULT assert( pWal->nSehTry>0 );
 # define SEH_FREE_ON_ERROR(X,Y)
+# define SEH_SET_ON_ERROR(X,Y)
 #endif /* ifdef SQLITE_USE_SEH */
 
 
@@ -1467,6 +1482,7 @@ static int walIndexRecover(Wal *pWal){
       rc = walIndexPage(pWal, iPg, (volatile u32**)&aShare);
       assert( aShare!=0 || rc!=SQLITE_OK );
       if( aShare==0 ) break;
+      SEH_SET_ON_ERROR(iPg, aShare);
       pWal->apWiData[iPg] = aPrivate;
 
       for(iFrame=iFirst; iFrame<=iLast; iFrame++){
@@ -1494,6 +1510,7 @@ static int walIndexRecover(Wal *pWal){
         }
       }
       pWal->apWiData[iPg] = aShare;
+      SEH_SET_ON_ERROR(0,0);
       nHdr = (iPg==0 ? WALINDEX_HDR_SIZE : 0);
       nHdr32 = nHdr / sizeof(u32);
 #ifndef SQLITE_SAFER_WALINDEX_RECOVERY
@@ -2387,7 +2404,9 @@ static void walLimitSize(Wal *pWal, i64 nMax){
 **
 **   2) Frees the pointer at Wal.pFree, if any, using sqlite3_free().
 **
-**   3) Returns SQLITE_IOERR.
+**   3) Set pWal->apWiData[pWal->iWiPg] to pWal->pWiValue if not NULL
+**
+**   4) Returns SQLITE_IOERR.
 */
 static int walHandleException(Wal *pWal){
   if( pWal->exclusiveMode==0 ){
@@ -2406,6 +2425,10 @@ static int walHandleException(Wal *pWal){
   }
   sqlite3_free(pWal->pFree);
   pWal->pFree = 0;
+  if( pWal->pWiValue ){
+    pWal->apWiData[pWal->iWiPg] = pWal->pWiValue;
+    pWal->pWiValue = 0;
+  }
   return SQLITE_IOERR_IN_PAGE;
 }