From: dan Date: Tue, 23 Jun 2026 19:14:44 +0000 (+0000) Subject: Avoid a use-after-free problem that could occur if ATTACH statements are executed... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=764881119d638c0e9390f2687b1d0865e6b8e196;p=thirdparty%2Fsqlite.git Avoid a use-after-free problem that could occur if ATTACH statements are executed while a backup operation is active. Bug [bugs:/info/2026-06-23T15:46:48Z | 2026-06-23T15:46:48Z]. FossilOrigin-Name: 9454592878b5732d37d61f4541bd6f0c1f893c20fc833ce4c600f9470e62d6f2 --- diff --git a/manifest b/manifest index 0ebe804215..bf6e986bec 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Do\snot\sallow\sinternal-use-only\sfunctions\sto\sbe\scoded,\sanywhere,\sunless\ninside\sof\sa\snested\sparse\s(which\sis\sthe\scase\sfor\sALTER\sTABLE)\sor\sif\nthe\sappropriate\stest-control\sis\sactivated.\n[bugs:/info/2026-06-23T15:49:27Z|Bug\s2026-06-23T15:49:27Z]. -D 2026-06-23T19:08:18.383 +C Avoid\sa\suse-after-free\sproblem\sthat\scould\soccur\sif\sATTACH\sstatements\sare\sexecuted\swhile\sa\sbackup\soperation\sis\sactive.\sBug\s[bugs:/info/2026-06-23T15:46:48Z\s|\s2026-06-23T15:46:48Z]. +D 2026-06-23T19:14:44.276 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea @@ -674,11 +674,11 @@ F src/alter.c da59ac700b52ba5d0e4dd099fb1818975cf8a79a546594da586b4e1eba3ae405 F src/analyze.c 73162482c656187823217f4c00758c9ee13a420c8745bc542129e0279b792287 F src/attach.c c58278c7d2d954785591c4fde81669ec3e4d52f348c453b028a19ae8adf4f338 F src/auth.c b5ece4e1edccad082c0332fa0087df225473bae0feea9269f824312201377185 -F src/backup.c 6ebe22ccbedfcb92423833992130e8d65824be4e6599c3a03f540ab38fc7d13c +F src/backup.c 1ffcc8f99a419b68b21b89f8e325565a4777a717ec743682ca4a48ccd19bf973 F src/bitvec.c e242d4496774dfc88fa278177dd23b607dce369ccafb3f61b41638eea2c9b399 F src/btmutex.c 30dada73a819a1ef5b7583786370dce1842e12e1ad941e4d05ac29695528daea F src/btree.c 515cf62220ceb483ba9a31ebb3d7565ea9d63ffc3d61bb974b2815fef393df0e -F src/btree.h d19e634e0fafd63d13b198df3a6306317a88a0d3daef7af8686e24a014933837 +F src/btree.h c3ba6ba663e185b265a327165bd795e6dc7806fe5a75fe9f547a8459c96f73a7 F src/btreeInt.h 4f512ad31083216b6789762d4c345b73367985d3b39421c9ba7c0902d09fb38b F src/build.c 09946336c3011c2ae2faccdf04e33336e1cd51fd836651be0cd7eb5814f7f6a0 F src/callback.c 3605bbf02bd7ed46c79cd48346db4a32fc51d67624400539c0532f4eead804ad @@ -803,7 +803,7 @@ F src/update.c 3e5e7ff66fa19ebe4d1b113d480639a24cc1175adbefabbd1a948a07f28e37cf F src/upsert.c dd9f0fcccbfb4f20e1026a21a7254ba3f2c08e9cfa92affaff5b5ec3b00ea549 F src/utf.c 7267c3fb9e2467020507601af3354c2446c61f444387e094c779dccd5ca62165 F src/util.c 98cf12c8ba65623a76c1eb6e6afa98ff40107c9919bf79af42f4bfc70e654232 -F src/vacuum.c d3d35d8ae893d419ade5fa196d761a83bddcbb62137a1a157ae751ef38b26e82 +F src/vacuum.c 4eda73a75a15f939b45b26e189f5b25757b39d7cb6d5e972a7f754e75d019189 F src/vdbe.c 6397694fa506aa1841dc8bb6a17c514aa602a4ad2515024fcd5880558c1ef57f F src/vdbe.h 70e862ac8a11b590f8c1eaac17a0078429d42bc4ea3f757a9af0f451dd966a71 F src/vdbeInt.h c31ba4dc8d280c2b1dc89c6fcee68f2555e3813ab34279552c20b964c0e338b1 @@ -899,7 +899,7 @@ F test/backcompat.test f2431465ed668f09fc3f6998e56e893a1506ccea6e8b6f409f085f759 F test/backup.test 3b08fd4af69f0fa786931103a31f4542b184aba16e239e5f22b18c3c2476697f F test/backup2.test b153553ee5667b0748b43346b0725fbf80ce1f5544613bf087d669778b60ec56 F test/backup4.test 8f6fd48e0dfde77b9a3bb26dc471ede3e101df32 -F test/backup5.test ee5da6d7fe5082f5b9b0bbfa31d016f52412a2e4 +F test/backup5.test 3e16065dc45c40030378702aac3e92f4d6e7d8853f0328f0390c9e7a71d8c712 F test/backup_ioerr.test 4c3c7147cee85b024ecf6e150e090c32fdbb5135 F test/backup_malloc.test 0c9abdf74c51e7bedb66d504cd684f28d4bd4027 F test/badutf.test cff75b714866a4ffa0cdda252eb8fe8765483f5872c0076223c92d52b4fffd1b @@ -2208,8 +2208,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c -P 8a535a36a90cf12b783469289a882d1313038d444b4a7f04e3495ae9bdec416d -R bdcde85ab85e1f4afa8f626c7e398d47 -U drh -Z 99855b74f04f71968ba1547588fd3439 +P a145307e4d0b621c5493cecc7c826e8422cbd8dbc8cd9a042b8ec9e05d389eb6 +R 5cce1f25ef25a01d3c60d592539d65e2 +U dan +Z 8fa96fd823d734ff31d1a771a22e98a7 # Remove this line to create a well-formed Fossil manifest. diff --git a/manifest.uuid b/manifest.uuid index 37513c06a4..809244710f 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -a145307e4d0b621c5493cecc7c826e8422cbd8dbc8cd9a042b8ec9e05d389eb6 +9454592878b5732d37d61f4541bd6f0c1f893c20fc833ce4c600f9470e62d6f2 diff --git a/src/backup.c b/src/backup.c index 77c0959e2e..144c0534a2 100644 --- a/src/backup.c +++ b/src/backup.c @@ -20,13 +20,13 @@ */ struct sqlite3_backup { sqlite3* pDestDb; /* Destination database handle */ - Db *pDest; /* Destination db file */ + int iDest; u32 iDestSchema; /* Original schema cookie in destination */ int bDestLocked; /* True once a write-transaction is open on pDest */ Pgno iNext; /* Page number of the next source page to copy */ sqlite3* pSrcDb; /* Source database handle */ - Db *pSrc; /* Source db file */ + int iSrc; /* Source db file */ int rc; /* Backup process error code */ @@ -40,6 +40,20 @@ struct sqlite3_backup { sqlite3_backup *pNext; /* Next backup associated with source pager */ }; +/* +** Return the source (Btree*) used by backup object b. +*/ +#define getSourceBtree(b) ((b)->pSrcDb->aDb[(b)->iSrc].pBt) + +/* +** Return the destination (Btree*) used by backup object b. +*/ +#define getDestBtree(b) ( (b)->pDestDb ? \ + (b)->pDestDb->aDb[(b)->iDest].pBt : \ + (b)->pSrcDb->aDb[(b)->iDest].pBt \ +) + + /* ** THREAD SAFETY NOTES: ** @@ -71,15 +85,15 @@ struct sqlite3_backup { */ /* -** Return a pointer corresponding to database zDb (i.e. "main", "temp") +** Return an integer corresponding to database zDb (i.e. "main", "temp") ** in connection handle pDb. If such a database cannot be found, return -** a NULL pointer and write an error message to pErrorDb. +** a negative value and write an error message to pErrorDb. ** ** If the "temp" database is requested, it may need to be opened by this -** function. If an error occurs while doing so, return 0 and write an +** function. If an error occurs while doing so, return -1 and write an ** error message to pErrorDb. */ -static Db *findDatabase(sqlite3 *pErrorDb, sqlite3 *pDb, const char *zDb){ +static int findDatabase(sqlite3 *pErrorDb, sqlite3 *pDb, const char *zDb){ int i = sqlite3FindDbName(pDb, zDb); if( i==1 ){ @@ -99,10 +113,9 @@ static Db *findDatabase(sqlite3 *pErrorDb, sqlite3 *pDb, const char *zDb){ if( i<0 ){ sqlite3ErrorWithMsg(pErrorDb, SQLITE_ERROR, "unknown database %s", zDb); - return 0; } - return &pDb->aDb[i]; + return i; } /* @@ -110,8 +123,8 @@ static Db *findDatabase(sqlite3 *pErrorDb, sqlite3 *pDb, const char *zDb){ ** of the source. */ static int setDestPgsz(sqlite3_backup *p){ - return sqlite3BtreeSetPageSize(p->pDest->pBt, - sqlite3BtreeGetPageSize(p->pSrc->pBt), 0, 0 + return sqlite3BtreeSetPageSize(getDestBtree(p), + sqlite3BtreeGetPageSize(getSourceBtree(p)), 0, 0 ); } @@ -181,15 +194,15 @@ sqlite3_backup *sqlite3_backup_init( /* If the allocation succeeded, populate the new object. */ if( p ){ - p->pSrc = findDatabase(pDestDb, pSrcDb, zSrcDb); - p->pDest = findDatabase(pDestDb, pDestDb, zDestDb); + p->iDest = findDatabase(pDestDb, pDestDb, zDestDb); + p->iSrc = findDatabase(pDestDb, pSrcDb, zSrcDb); p->pDestDb = pDestDb; p->pSrcDb = pSrcDb; p->iNext = 1; p->isAttached = 0; - if( 0==p->pSrc || 0==p->pDest - || checkReadTransaction(pDestDb, p->pDest->pBt)!=SQLITE_OK + if( p->iSrc<0 || p->iDest<0 + || checkReadTransaction(pDestDb, getDestBtree(p))!=SQLITE_OK ){ /* One (or both) of the named databases did not exist or an OOM ** error was hit. Or there is a transaction open on the destination @@ -201,7 +214,7 @@ sqlite3_backup *sqlite3_backup_init( } } if( p ){ - p->pSrc->pBt->nBackup++; + getSourceBtree(p)->nBackup++; } sqlite3_mutex_leave(pDestDb->mutex); @@ -229,18 +242,19 @@ static int backupOnePage( const u8 *zSrcData, /* Source database page data */ int bUpdate /* True for an update, false otherwise */ ){ - Pager * const pDestPager = sqlite3BtreePager(p->pDest->pBt); - const int nSrcPgsz = sqlite3BtreeGetPageSize(p->pSrc->pBt); - int nDestPgsz = sqlite3BtreeGetPageSize(p->pDest->pBt); + Btree *pDestBt = getDestBtree(p); + Pager * const pDestPager = sqlite3BtreePager(pDestBt); + const int nSrcPgsz = sqlite3BtreeGetPageSize(getSourceBtree(p)); + int nDestPgsz = sqlite3BtreeGetPageSize(pDestBt); const int nCopy = MIN(nSrcPgsz, nDestPgsz); const i64 iEnd = (i64)iSrcPg*(i64)nSrcPgsz; int rc = SQLITE_OK; i64 iOff; - assert( sqlite3BtreeGetReserveNoMutex(p->pSrc->pBt)>=0 ); + assert( sqlite3BtreeGetReserveNoMutex(getSourceBtree(p))>=0 ); assert( p->bDestLocked ); assert( !isFatalError(p->rc) ); - assert( iSrcPg!=PENDING_BYTE_PAGE(p->pSrc->pBt->pBt) ); + assert( iSrcPg!=PENDING_BYTE_PAGE(getSourceBtree(p)->pBt) ); assert( zSrcData ); assert( nSrcPgsz==nDestPgsz || sqlite3PagerIsMemdb(pDestPager)==0 ); @@ -251,7 +265,7 @@ static int backupOnePage( for(iOff=iEnd-(i64)nSrcPgsz; rc==SQLITE_OK && iOffpDest->pBt->pBt) ) continue; + if( iDest==PENDING_BYTE_PAGE(pDestBt->pBt) ) continue; if( SQLITE_OK==(rc = sqlite3PagerGet(pDestPager, iDest, &pDestPg, 0)) && SQLITE_OK==(rc = sqlite3PagerWrite(pDestPg)) ){ @@ -269,7 +283,7 @@ static int backupOnePage( memcpy(zOut, zIn, nCopy); ((u8 *)sqlite3PagerGetExtra(pDestPg))[0] = 0; if( iOff==0 && bUpdate==0 ){ - sqlite3Put4byte(&zOut[28], sqlite3BtreeLastPage(p->pSrc->pBt)); + sqlite3Put4byte(&zOut[28], sqlite3BtreeLastPage(getSourceBtree(p))); } } sqlite3PagerUnref(pDestPg); @@ -301,8 +315,8 @@ static int backupTruncateFile(sqlite3_file *pFile, i64 iSize){ */ static void attachBackupObject(sqlite3_backup *p){ sqlite3_backup **pp; - assert( sqlite3BtreeHoldsMutex(p->pSrc->pBt) ); - pp = sqlite3PagerBackupPtr(sqlite3BtreePager(p->pSrc->pBt)); + assert( sqlite3BtreeHoldsMutex(getSourceBtree(p)) ); + pp = sqlite3PagerBackupPtr(sqlite3BtreePager(getSourceBtree(p))); p->pNext = *pp; *pp = p; p->isAttached = 1; @@ -322,10 +336,10 @@ int sqlite3_backup_step(sqlite3_backup *p, int nPage){ #ifdef SQLITE_ENABLE_API_ARMOR if( p==0 ) return SQLITE_MISUSE_BKPT; #endif - assert( p->pDest ); - assert( p->pSrc ); - pDest = p->pDest->pBt; - pSrc = p->pSrc->pBt; + assert( p->iDest>=0 ); + assert( p->iSrc>=0 ); + pDest = getDestBtree(p); + pSrc = getSourceBtree(p); sqlite3_mutex_enter(p->pSrcDb->mutex); sqlite3BtreeEnter(pSrc); if( p->pDestDb ){ @@ -578,22 +592,24 @@ int sqlite3_backup_finish(sqlite3_backup *p){ sqlite3_backup **pp; /* Ptr to head of pagers backup list */ sqlite3 *pSrcDb; /* Source database connection */ int rc; /* Value to return */ + Btree *pSrcBt = 0; /* Enter the mutexes */ if( p==0 ) return SQLITE_OK; + pSrcBt = getSourceBtree(p); pSrcDb = p->pSrcDb; sqlite3_mutex_enter(pSrcDb->mutex); - sqlite3BtreeEnter(p->pSrc->pBt); + sqlite3BtreeEnter(pSrcBt); if( p->pDestDb ){ sqlite3_mutex_enter(p->pDestDb->mutex); } /* Detach this backup from the source pager. */ if( p->pDestDb ){ - p->pSrc->pBt->nBackup--; + pSrcBt->nBackup--; } if( p->isAttached ){ - pp = sqlite3PagerBackupPtr(sqlite3BtreePager(p->pSrc->pBt)); + pp = sqlite3PagerBackupPtr(sqlite3BtreePager(pSrcBt)); assert( pp!=0 ); while( *pp!=p ){ pp = &(*pp)->pNext; @@ -603,7 +619,7 @@ int sqlite3_backup_finish(sqlite3_backup *p){ } /* If a transaction is still open on the Btree, roll it back. */ - sqlite3BtreeRollback(p->pDest->pBt, SQLITE_OK, 0); + sqlite3BtreeRollback(getDestBtree(p), SQLITE_OK, 0); /* Set the error code of the destination database handle. */ rc = (p->rc==SQLITE_DONE) ? SQLITE_OK : p->rc; @@ -613,7 +629,7 @@ int sqlite3_backup_finish(sqlite3_backup *p){ /* Exit the mutexes and free the backup context structure. */ sqlite3LeaveMutexAndCloseZombie(p->pDestDb); } - sqlite3BtreeLeave(p->pSrc->pBt); + sqlite3BtreeLeave(pSrcBt); if( p->pDestDb ){ /* EVIDENCE-OF: R-64852-21591 The sqlite3_backup object is created by a ** call to sqlite3_backup_init() and is destroyed by a call to @@ -671,7 +687,7 @@ static SQLITE_NOINLINE void backupUpdate( ){ assert( p!=0 ); do{ - assert( sqlite3_mutex_held(p->pSrc->pBt->pBt->mutex) ); + assert( sqlite3_mutex_held(getSourceBtree(p)->pBt->mutex) ); if( !isFatalError(p->rc) && iPageiNext ){ /* The backup process p has already copied page iPage. But now it ** has been modified by a transaction on the source pager. Copy @@ -707,7 +723,7 @@ void sqlite3BackupUpdate(sqlite3_backup *pBackup, Pgno iPage, const u8 *aData){ void sqlite3BackupRestart(sqlite3_backup *pBackup){ sqlite3_backup *p; /* Iterator variable */ for(p=pBackup; p; p=p->pNext){ - assert( sqlite3_mutex_held(p->pSrc->pBt->pBt->mutex) ); + assert( sqlite3_mutex_held(getSourceBtree(p)->pBt->mutex) ); p->iNext = 1; } } @@ -721,12 +737,12 @@ void sqlite3BackupRestart(sqlite3_backup *pBackup){ ** goes wrong, the transaction on pTo is rolled back. If successful, the ** transaction is committed before returning. */ -int sqlite3BtreeCopyFile(Btree *pTo, Btree *pFrom){ +int sqlite3BtreeCopyFile(sqlite3 *db, int iTo, int iFrom){ int rc; sqlite3_file *pFd; /* File descriptor for database pTo */ sqlite3_backup b; - Db dbDest; - Db dbSrc; + Btree *pFrom = db->aDb[iFrom].pBt; + Btree *pTo = db->aDb[iTo].pBt; sqlite3BtreeEnter(pTo); sqlite3BtreeEnter(pFrom); @@ -745,13 +761,9 @@ int sqlite3BtreeCopyFile(Btree *pTo, Btree *pFrom){ ** from this function, not directly by the user. */ memset(&b, 0, sizeof(b)); - memset(&dbDest, 0, sizeof(dbDest)); - memset(&dbSrc, 0, sizeof(dbSrc)); - dbDest.pBt = pTo; - dbSrc.pBt = pFrom; - b.pSrcDb = pFrom->db; - b.pSrc = &dbSrc; - b.pDest = &dbDest; + b.pSrcDb = db; + b.iSrc = iFrom; + b.iDest = iTo; b.iNext = 1; /* 0x7FFFFFFF is the hard limit for the number of pages in a database diff --git a/src/btree.h b/src/btree.h index 6b2ff6e3fb..ba9a540eb6 100644 --- a/src/btree.h +++ b/src/btree.h @@ -105,7 +105,7 @@ int sqlite3BtreeSavepoint(Btree *, int, int); const char *sqlite3BtreeGetFilename(Btree *); const char *sqlite3BtreeGetJournalname(Btree *); -int sqlite3BtreeCopyFile(Btree *, Btree *); +int sqlite3BtreeCopyFile(sqlite3*, int, int); int sqlite3BtreeIncrVacuum(Btree *); diff --git a/src/vacuum.c b/src/vacuum.c index 70e62e1ef1..94de364de7 100644 --- a/src/vacuum.c +++ b/src/vacuum.c @@ -376,7 +376,9 @@ SQLITE_NOINLINE int sqlite3RunVacuum( } if( pOut==0 ){ - rc = sqlite3BtreeCopyFile(pMain, pTemp); + assert( pMain==db->aDb[iDb].pBt ); + assert( pTemp==db->aDb[nDb].pBt ); + rc = sqlite3BtreeCopyFile(db, iDb, nDb); } if( rc!=SQLITE_OK ) goto end_of_vacuum; rc = sqlite3BtreeCommit(pTemp); diff --git a/test/backup5.test b/test/backup5.test index c789adfa69..e68a258c3d 100644 --- a/test/backup5.test +++ b/test/backup5.test @@ -62,4 +62,40 @@ do_test 1.7 { sqlite3_errmsg db2 } {no such table: t2} +#------------------------------------------------------------------------- +reset_db + +forcedelete test2.db + +do_execsql_test 2.0 { + CREATE TABLE t1(a, b); + CREATE TABLE t2(a, b); + INSERT INTO t2 VALUES(1, 1); + INSERT INTO t2 VALUES(2, 2); + INSERT INTO t2 VALUES(3, 3); + CREATE INDEX i1 ON t1(a); + CREATE INDEX i2 ON t2(a); + ATTACH 'test.db2' AS aux2; +} + +sqlite3 db2 test2.db + +do_test 2.1 { + sqlite3_backup B db2 main db main + B step 1 + + execsql { + ATTACH 'test.db3' AS aux3; + ATTACH 'test.db4' AS aux4; + ATTACH 'test.db5' AS aux5; + ATTACH 'test.db6' AS aux6; + ATTACH 'test.db7' AS aux7; + ATTACH 'test.db8' AS aux8; + } + + B step 200 + B finish +} {SQLITE_OK} + + finish_test