From: Jeff King <peff@peff.net> To: git@vger.kernel.org Subject: [PATCH 0/6] harden tree-walking against integer overflow Date: Wed, 31 Jul 2019 00:37:00 -0400 [thread overview] Message-ID: <20190731043659.GA27028@sigill.intra.peff.net> (raw) I noticed that it's possible to get funny integer over/underflows with tree-walk's traverse_info (with specially-crafted absurdly-sized tree paths). I wasn't able to turn this into an actual buffer overflow because the funky sizes cause allocation failures way before we ever get into make_traverse_path(). But it makes sense to protect ourselves anyway. The first two patches are an unrelated memory problem I found (and they're here in the same series because I build on the cleanups). I don't think it's security-relevant, though; it involves reading from uninitialized heap memory, but we don't actually _do_ anything with the result. We just copy uninitialized bytes from one heap buffer to the other, and then never look at them again. [1/6]: setup_traverse_info(): stop copying oid [2/6]: tree-walk: drop oid from traverse_info [3/6]: tree-walk: use size_t consistently [4/6]: tree-walk: accept a raw length for traverse_path_len() [5/6]: tree-walk: add a strbuf wrapper for make_traverse_path() [6/6]: tree-walk: harden make_traverse_path() length computations Documentation/technical/api-tree-walking.txt | 8 ++- builtin/merge-tree.c | 5 +- cache-tree.c | 2 +- tree-walk.c | 64 +++++++++++------ tree-walk.h | 18 +++-- unpack-trees.c | 74 +++++++++++--------- 6 files changed, 103 insertions(+), 68 deletions(-) -Peff
next reply other threads:[~2019-07-31 4:37 UTC|newest] Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-07-31 4:37 Jeff King [this message] 2019-07-31 4:38 ` [PATCH 1/6] setup_traverse_info(): stop copying oid Jeff King 2019-07-31 4:38 ` [PATCH 2/6] tree-walk: drop oid from traverse_info Jeff King 2019-07-31 4:38 ` [PATCH 3/6] tree-walk: use size_t consistently Jeff King 2019-08-01 18:17 ` Derrick Stolee 2019-07-31 4:38 ` [PATCH 4/6] tree-walk: accept a raw length for traverse_path_len() Jeff King 2019-07-31 4:38 ` [PATCH 5/6] tree-walk: add a strbuf wrapper for make_traverse_path() Jeff King 2019-07-31 4:38 ` [PATCH 6/6] tree-walk: harden make_traverse_path() length computations Jeff King
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style List information: http://vger.kernel.org/majordomo-info.html * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190731043659.GA27028@sigill.intra.peff.net \ --to=peff@peff.net \ --cc=git@vger.kernel.org \ --subject='Re: [PATCH 0/6] harden tree-walking against integer overflow' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Code repositories for project(s) associated with this inbox: https://80x24.org/mirrors/git.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).