https://github.com/git/git
Revision 34ace8bad02bb14ecc5b631f7e3daaa7a9bba7d9 authored by Patrick Steinhardt on 01 December 2022, 14:45:27 UTC, committed by Junio C Hamano on 05 December 2022, 06:14:16 UTC
It is possible to trigger an integer overflow when parsing attribute
names when there are more than 2^31 of them for a single pattern. This
can either lead to us dying due to trying to request too many bytes:
blob=$(perl -e 'print "f" . " a=" x 2147483649' | git hash-object -w --stdin)
git update-index --add --cacheinfo 100644,$blob,.gitattributes
git attr-check --all file
=================================================================
==1022==ERROR: AddressSanitizer: requested allocation size 0xfffffff800000032 (0xfffffff800001038 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
#0 0x7fd3efabf411 in __interceptor_calloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x5563a0a1e3d3 in xcalloc wrapper.c:150
#2 0x5563a058d005 in parse_attr_line attr.c:384
#3 0x5563a058e661 in handle_attr_line attr.c:660
#4 0x5563a058eddb in read_attr_from_index attr.c:769
#5 0x5563a058ef12 in read_attr attr.c:797
#6 0x5563a058f24c in bootstrap_attr_stack attr.c:867
#7 0x5563a058f4a3 in prepare_attr_stack attr.c:902
#8 0x5563a05905da in collect_some_attrs attr.c:1097
#9 0x5563a059093d in git_all_attrs attr.c:1128
#10 0x5563a02f636e in check_attr builtin/check-attr.c:67
#11 0x5563a02f6c12 in cmd_check_attr builtin/check-attr.c:183
#12 0x5563a02aa993 in run_builtin git.c:466
#13 0x5563a02ab397 in handle_builtin git.c:721
#14 0x5563a02abb2b in run_argv git.c:788
#15 0x5563a02ac991 in cmd_main git.c:926
#16 0x5563a05432bd in main common-main.c:57
#17 0x7fd3ef82228f (/usr/lib/libc.so.6+0x2328f)
==1022==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:77 in __interceptor_calloc
==1022==ABORTING
Or, much worse, it can lead to an out-of-bounds write because we
underallocate and then memcpy(3P) into an array:
perl -e '
print "A " . "\rh="x2000000000;
print "\rh="x2000000000;
print "\rh="x294967294 . "\n"
' >.gitattributes
git add .gitattributes
git commit -am "evil attributes"
$ git clone --quiet /path/to/repo
=================================================================
==15062==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002550 at pc 0x5555559884d5 bp 0x7fffffffbc60 sp 0x7fffffffbc58
WRITE of size 8 at 0x602000002550 thread T0
#0 0x5555559884d4 in parse_attr_line attr.c:393
#1 0x5555559884d4 in handle_attr_line attr.c:660
#2 0x555555988902 in read_attr_from_index attr.c:784
#3 0x555555988902 in read_attr_from_index attr.c:747
#4 0x555555988a1d in read_attr attr.c:800
#5 0x555555989b0c in bootstrap_attr_stack attr.c:882
#6 0x555555989b0c in prepare_attr_stack attr.c:917
#7 0x555555989b0c in collect_some_attrs attr.c:1112
#8 0x55555598b141 in git_check_attr attr.c:1126
#9 0x555555a13004 in convert_attrs convert.c:1311
#10 0x555555a95e04 in checkout_entry_ca entry.c:553
#11 0x555555d58bf6 in checkout_entry entry.h:42
#12 0x555555d58bf6 in check_updates unpack-trees.c:480
#13 0x555555d5eb55 in unpack_trees unpack-trees.c:2040
#14 0x555555785ab7 in checkout builtin/clone.c:724
#15 0x555555785ab7 in cmd_clone builtin/clone.c:1384
#16 0x55555572443c in run_builtin git.c:466
#17 0x55555572443c in handle_builtin git.c:721
#18 0x555555727872 in run_argv git.c:788
#19 0x555555727872 in cmd_main git.c:926
#20 0x555555721fa0 in main common-main.c:57
#21 0x7ffff73f1d09 in __libc_start_main ../csu/libc-start.c:308
#22 0x555555723f39 in _start (git+0x1cff39)
0x602000002552 is located 0 bytes to the right of 2-byte region [0x602000002550,0x602000002552) allocated by thread T0 here:
#0 0x7ffff768c037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x555555d7fff7 in xcalloc wrapper.c:150
#2 0x55555598815f in parse_attr_line attr.c:384
#3 0x55555598815f in handle_attr_line attr.c:660
#4 0x555555988902 in read_attr_from_index attr.c:784
#5 0x555555988902 in read_attr_from_index attr.c:747
#6 0x555555988a1d in read_attr attr.c:800
#7 0x555555989b0c in bootstrap_attr_stack attr.c:882
#8 0x555555989b0c in prepare_attr_stack attr.c:917
#9 0x555555989b0c in collect_some_attrs attr.c:1112
#10 0x55555598b141 in git_check_attr attr.c:1126
#11 0x555555a13004 in convert_attrs convert.c:1311
#12 0x555555a95e04 in checkout_entry_ca entry.c:553
#13 0x555555d58bf6 in checkout_entry entry.h:42
#14 0x555555d58bf6 in check_updates unpack-trees.c:480
#15 0x555555d5eb55 in unpack_trees unpack-trees.c:2040
#16 0x555555785ab7 in checkout builtin/clone.c:724
#17 0x555555785ab7 in cmd_clone builtin/clone.c:1384
#18 0x55555572443c in run_builtin git.c:466
#19 0x55555572443c in handle_builtin git.c:721
#20 0x555555727872 in run_argv git.c:788
#21 0x555555727872 in cmd_main git.c:926
#22 0x555555721fa0 in main common-main.c:57
#23 0x7ffff73f1d09 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow attr.c:393 in parse_attr_line
Shadow bytes around the buggy address:
0x0c047fff8450: fa fa 00 02 fa fa 00 07 fa fa fd fd fa fa 00 00
0x0c047fff8460: fa fa 02 fa fa fa fd fd fa fa 00 06 fa fa 05 fa
0x0c047fff8470: fa fa fd fd fa fa 00 02 fa fa 06 fa fa fa 05 fa
0x0c047fff8480: fa fa 07 fa fa fa fd fd fa fa 00 01 fa fa 00 02
0x0c047fff8490: fa fa 00 03 fa fa 00 fa fa fa 00 01 fa fa 00 03
=>0x0c047fff84a0: fa fa 00 01 fa fa 00 02 fa fa[02]fa fa fa fa fa
0x0c047fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==15062==ABORTING
Fix this bug by using `size_t` instead to count the number of attributes
so that this value cannot reasonably overflow without running out of
memory before already.
Reported-by: Markus Vervier <markus.vervier@x41-dsec.de>
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
1 parent 2455720
Tip revision: 34ace8bad02bb14ecc5b631f7e3daaa7a9bba7d9 authored by Patrick Steinhardt on 01 December 2022, 14:45:27 UTC
attr: fix out-of-bounds write when parsing huge number of attributes
attr: fix out-of-bounds write when parsing huge number of attributes
Tip revision: 34ace8b
string-list.h
#ifndef STRING_LIST_H
#define STRING_LIST_H
/**
* The string_list API offers a data structure and functions to handle
* sorted and unsorted arrays of strings. A "sorted" list is one whose
* entries are sorted by string value in the order specified by the `cmp`
* member (`strcmp()` by default).
*
* The caller:
*
* . Allocates and clears a `struct string_list` variable.
*
* . Initializes the members. You might want to set the flag `strdup_strings`
* if the strings should be strdup()ed. For example, this is necessary
* when you add something like git_path("..."), since that function returns
* a static buffer that will change with the next call to git_path().
*
* If you need something advanced, you can manually malloc() the `items`
* member (you need this if you add things later) and you should set the
* `nr` and `alloc` members in that case, too.
*
* . Adds new items to the list, using `string_list_append`,
* `string_list_append_nodup`, `string_list_insert`,
* `string_list_split`, and/or `string_list_split_in_place`.
*
* . Can check if a string is in the list using `string_list_has_string` or
* `unsorted_string_list_has_string` and get it from the list using
* `string_list_lookup` for sorted lists.
*
* . Can sort an unsorted list using `string_list_sort`.
*
* . Can remove duplicate items from a sorted list using
* `string_list_remove_duplicates`.
*
* . Can remove individual items of an unsorted list using
* `unsorted_string_list_delete_item`.
*
* . Can remove items not matching a criterion from a sorted or unsorted
* list using `filter_string_list`, or remove empty strings using
* `string_list_remove_empty_items`.
*
* . Finally it should free the list using `string_list_clear`.
*
* Example:
*
* struct string_list list = STRING_LIST_INIT_NODUP;
* int i;
*
* string_list_append(&list, "foo");
* string_list_append(&list, "bar");
* for (i = 0; i < list.nr; i++)
* printf("%s\n", list.items[i].string)
*
* NOTE: It is more efficient to build an unsorted list and sort it
* afterwards, instead of building a sorted list (`O(n log n)` instead of
* `O(n^2)`).
*
* However, if you use the list to check if a certain string was added
* already, you should not do that (using unsorted_string_list_has_string()),
* because the complexity would be quadratic again (but with a worse factor).
*/
/**
* Represents an item of the list. The `string` member is a pointer to the
* string, and you may use the `util` member for any purpose, if you want.
*/
struct string_list_item {
char *string;
void *util;
};
typedef int (*compare_strings_fn)(const char *, const char *);
/**
* Represents the list itself.
*
* . The array of items are available via the `items` member.
* . The `nr` member contains the number of items stored in the list.
* . The `alloc` member is used to avoid reallocating at every insertion.
* You should not tamper with it.
* . Setting the `strdup_strings` member to 1 will strdup() the strings
* before adding them, see above.
* . The `compare_strings_fn` member is used to specify a custom compare
* function, otherwise `strcmp()` is used as the default function.
*/
struct string_list {
struct string_list_item *items;
unsigned int nr, alloc;
unsigned int strdup_strings:1;
compare_strings_fn cmp; /* NULL uses strcmp() */
};
#define STRING_LIST_INIT_NODUP { NULL, 0, 0, 0, NULL }
#define STRING_LIST_INIT_DUP { NULL, 0, 0, 1, NULL }
/* General functions which work with both sorted and unsorted lists. */
/**
* Initialize the members of the string_list, set `strdup_strings`
* member according to the value of the second parameter.
*/
void string_list_init(struct string_list *list, int strdup_strings);
/** Callback function type for for_each_string_list */
typedef int (*string_list_each_func_t)(struct string_list_item *, void *);
/**
* Apply `want` to each item in `list`, retaining only the ones for which
* the function returns true. If `free_util` is true, call free() on
* the util members of any items that have to be deleted. Preserve
* the order of the items that are retained.
*/
void filter_string_list(struct string_list *list, int free_util,
string_list_each_func_t want, void *cb_data);
/**
* Free a string_list. The `string` pointer of the items will be freed
* in case the `strdup_strings` member of the string_list is set. The
* second parameter controls if the `util` pointer of the items should
* be freed or not.
*/
void string_list_clear(struct string_list *list, int free_util);
/**
* Callback type for `string_list_clear_func`. The string associated
* with the util pointer is passed as the second argument
*/
typedef void (*string_list_clear_func_t)(void *p, const char *str);
/** Call a custom clear function on each util pointer */
void string_list_clear_func(struct string_list *list, string_list_clear_func_t clearfunc);
/**
* Apply `func` to each item. If `func` returns nonzero, the
* iteration aborts and the return value is propagated.
*/
int for_each_string_list(struct string_list *list,
string_list_each_func_t func, void *cb_data);
/** Iterate over each item, as a macro. */
#define for_each_string_list_item(item,list) \
for (item = (list)->items; \
item && item < (list)->items + (list)->nr; \
++item)
/**
* Remove any empty strings from the list. If free_util is true, call
* free() on the util members of any items that have to be deleted.
* Preserve the order of the items that are retained.
*/
void string_list_remove_empty_items(struct string_list *list, int free_util);
/* Use these functions only on sorted lists: */
/** Determine if the string_list has a given string or not. */
int string_list_has_string(const struct string_list *list, const char *string);
int string_list_find_insert_index(const struct string_list *list, const char *string,
int negative_existing_index);
/**
* Insert a new element to the string_list. The returned pointer can
* be handy if you want to write something to the `util` pointer of
* the string_list_item containing the just added string. If the given
* string already exists the insertion will be skipped and the pointer
* to the existing item returned.
*
* Since this function uses xrealloc() (which die()s if it fails) if the
* list needs to grow, it is safe not to check the pointer. I.e. you may
* write `string_list_insert(...)->util = ...;`.
*/
struct string_list_item *string_list_insert(struct string_list *list, const char *string);
/**
* Remove the given string from the sorted list. If the string
* doesn't exist, the list is not altered.
*/
void string_list_remove(struct string_list *list, const char *string,
int free_util);
/**
* Check if the given string is part of a sorted list. If it is part of the list,
* return the corresponding string_list_item, NULL otherwise.
*/
struct string_list_item *string_list_lookup(struct string_list *list, const char *string);
/*
* Remove all but the first of consecutive entries with the same
* string value. If free_util is true, call free() on the util
* members of any items that have to be deleted.
*/
void string_list_remove_duplicates(struct string_list *sorted_list, int free_util);
/* Use these functions only on unsorted lists: */
/**
* Add string to the end of list. If list->strdup_string is set, then
* string is copied; otherwise the new string_list_entry refers to the
* input string.
*/
struct string_list_item *string_list_append(struct string_list *list, const char *string);
/**
* Like string_list_append(), except string is never copied. When
* list->strdup_strings is set, this function can be used to hand
* ownership of a malloc()ed string to list without making an extra
* copy.
*/
struct string_list_item *string_list_append_nodup(struct string_list *list, char *string);
/**
* Sort the list's entries by string value in order specified by list->cmp
* (strcmp() if list->cmp is NULL).
*/
void string_list_sort(struct string_list *list);
/**
* Like `string_list_has_string()` but for unsorted lists. Linear in
* size of the list.
*/
int unsorted_string_list_has_string(struct string_list *list, const char *string);
/**
* Like `string_list_lookup()` but for unsorted lists. Linear in size
* of the list.
*/
struct string_list_item *unsorted_string_list_lookup(struct string_list *list,
const char *string);
/**
* Remove an item from a string_list. The `string` pointer of the
* items will be freed in case the `strdup_strings` member of the
* string_list is set. The third parameter controls if the `util`
* pointer of the items should be freed or not.
*/
void unsorted_string_list_delete_item(struct string_list *list, int i, int free_util);
/**
* Split string into substrings on character `delim` and append the
* substrings to `list`. The input string is not modified.
* list->strdup_strings must be set, as new memory needs to be
* allocated to hold the substrings. If maxsplit is non-negative,
* then split at most maxsplit times. Return the number of substrings
* appended to list.
*
* Examples:
* string_list_split(l, "foo:bar:baz", ':', -1) -> ["foo", "bar", "baz"]
* string_list_split(l, "foo:bar:baz", ':', 0) -> ["foo:bar:baz"]
* string_list_split(l, "foo:bar:baz", ':', 1) -> ["foo", "bar:baz"]
* string_list_split(l, "foo:bar:", ':', -1) -> ["foo", "bar", ""]
* string_list_split(l, "", ':', -1) -> [""]
* string_list_split(l, ":", ':', -1) -> ["", ""]
*/
int string_list_split(struct string_list *list, const char *string,
int delim, int maxsplit);
/*
* Like string_list_split(), except that string is split in-place: the
* delimiter characters in string are overwritten with NULs, and the
* new string_list_items point into string (which therefore must not
* be modified or freed while the string_list is in use).
* list->strdup_strings must *not* be set.
*/
int string_list_split_in_place(struct string_list *list, char *string,
int delim, int maxsplit);
#endif /* STRING_LIST_H */
Computing file changes ...
