Crash Chrome 70 with the SQLite Magellan bug
source link: https://worthdoingbadly.com/sqlitebug/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Crash Chrome 70 with the SQLite Magellan bug
Dec 14, 2018
This proof-of-concept crashes the Chrome renderer process using Tencent Blade Team's Magellan SQLite3 bug. It's based on a SQLite test case from the commit that fixed the bug.
This demo only works on Chrome 70 or below. Open this page in Chrome 70, then tap the button.
Your browser's user agent is: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/87.0.4280.66 Safari/537.36
Source code for this page on GitHub.
Sign up for more information
I'm working on understanding how this issue affects browsers. To get notified when I update this page, please sign up to my mailing list:
What's supposed to happen?
After you press the button, the page should crash:
On Android 5.1, I get a segfault in memcpy:
F/libc ( 3801): Fatal signal 11 (SIGSEGV), code 1, fault addr 0xe0ddb457 in tid 3854 (Database thread) I/DEBUG ( 142): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** I/DEBUG ( 142): Build fingerprint: 'google/nakasi/grouper:5.1/LMY47D/1743759:user/release-keys' I/DEBUG ( 142): Revision: '0' I/DEBUG ( 142): ABI: 'arm' I/DEBUG ( 142): pid: 3801, tid: 3854, name: Database thread >>> com.android.chrome:sandboxed_process6 <<< I/DEBUG ( 142): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe0ddb457 I/DEBUG ( 142): r0 e0ddb457 r1 611be0ab r2 00000002 r3 ff000000 I/DEBUG ( 142): r4 611be038 r5 00000002 r6 611be0a9 r7 7fffffff I/DEBUG ( 142): r8 00000001 r9 611be0ab sl 80000001 fp 00000000 I/DEBUG ( 142): ip 00000066 sp 6defd3a0 lr 00000074 pc 4025eb62 cpsr 680f2430 I/DEBUG ( 142): I/DEBUG ( 142): backtrace: I/DEBUG ( 142): #00 pc 0000fb62 /system/lib/libc.so (__memcpy_base+217) I/DEBUG ( 142): #01 pc 018d0e1d /data/app/com.android.chrome-1/base.apk
What's affected?
Affected: tested, causes one tab/one window to crash:
- Chrome 70.0.3538.110 on Android 5.1 and 9
- Electron 2.0.12 on macOS 10.14
Not affected:
- Chrome 71.0.3578.98 on Android 8.1 (already fixed)
- Safari (doesn't have FTS enabled in SQLite3)
- Browsers not based on Chrome (no WebSQL support)
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK