[PATCH] notes: avoid leaking duplicate entries

[PATCH] notes: avoid leaking duplicate entries

[Mike Hommey]

When add_note is called multiple times with the same key/value pair, the
leaf_node it creates is leaked by notes_tree_insert.
---
 notes.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/notes.c b/notes.c
index 75c028b300..ec35f5b551 100644
--- a/notes.c
+++ b/notes.c
@@ -269,8 +269,10 @@ static int note_tree_insert(struct notes_tree *t, struct int_node *tree,
 		case PTR_TYPE_NOTE:
 			if (oideq(&l->key_oid, &entry->key_oid)) {
 				/* skip concatenation if l == entry */
-				if (oideq(&l->val_oid, &entry->val_oid))
+				if (oideq(&l->val_oid, &entry->val_oid)) {
+					free(entry);
 					return 0;
+				}
 
 				ret = combine_notes(&l->val_oid,
 						    &entry->val_oid);
-- 
2.23.0

Re: [PATCH] notes: avoid leaking duplicate entries

[Jeff King]

On Sun, Aug 25, 2019 at 02:18:18PM +0900, Mike Hommey wrote:

> When add_note is called multiple times with the same key/value pair, the
> leaf_node it creates is leaked by notes_tree_insert.

Makes sense.

> diff --git a/notes.c b/notes.c
> index 75c028b300..ec35f5b551 100644
> --- a/notes.c
> +++ b/notes.c
> @@ -269,8 +269,10 @@ static int note_tree_insert(struct notes_tree *t, struct int_node *tree,
>  		case PTR_TYPE_NOTE:
>  			if (oideq(&l->key_oid, &entry->key_oid)) {
>  				/* skip concatenation if l == entry */
> -				if (oideq(&l->val_oid, &entry->val_oid))
> +				if (oideq(&l->val_oid, &entry->val_oid)) {
> +					free(entry);
>  					return 0;
> +				}

"entry" is passed in by the caller. Does anybody try to insert, and then
after the insertion continue to access the entry?

The only case I could find is this one in load_subtree():

        if (note_tree_insert(t, node, n, l, type,
                             combine_notes_concatenate))
                die("Failed to load %s %s into notes tree "
                    "from %s",
                    type == PTR_TYPE_NOTE ? "note" : "subtree",
                    oid_to_hex(&l->key_oid), t->ref);

If we fail to insert, we'll try to access the key_oid of the entry we
passed in, which might have been freed. But your patch is OK, because it
only touches a code path where we always return success.

Curiously, I think the existing case a few lines below your patch is
wrong, though:

        ret = combine_notes(&l->val_oid,
                            &entry->val_oid);
        if (!ret && is_null_oid(&l->val_oid))
                note_tree_remove(t, tree, n, entry);
        free(entry);
        return ret;

If combining the notes fails, we'll free the entry and return an error
code, and then load_subtree() will access the freed memory. I think we
could just object_oid instead.

-Peff

[PATCH] notes: avoid potential use-after-free during insertion

[Jeff King]

On Sun, Aug 25, 2019 at 03:10:35AM -0400, Jeff King wrote:

> Curiously, I think the existing case a few lines below your patch is
> wrong, though:
> 
>         ret = combine_notes(&l->val_oid,
>                             &entry->val_oid);
>         if (!ret && is_null_oid(&l->val_oid))
>                 note_tree_remove(t, tree, n, entry);
>         free(entry);
>         return ret;
> 
> If combining the notes fails, we'll free the entry and return an error
> code, and then load_subtree() will access the freed memory. I think we
> could just object_oid instead.

Here's a patch. It's textually independent of yours, but I think it
makes sense to apply the two on a single branch.

No test, as I didn't bother to figure out what it takes to trigger the
error message, and the solution is (hopefully) an obvious improvement
even if it can't be triggered in practice.

-- >8 --
Subject: [PATCH] notes: avoid potential use-after-free during insertion

The note_tree_insert() function may free the leaf_node struct we pass in
(e.g., if it's a duplicate, or if it needs to be combined with an
existing note).

Most callers are happy with this, as they assume that ownership of the
struct is handed off. But in load_subtree(), if we see an error we'll
use the handed-off struct's key_oid to generate the die() message,
potentially accessing freed memory.

We can easily fix this by instead using the original oid that we copied
into the leaf_node struct.

Signed-off-by: Jeff King <peff@peff.net>
---
 notes.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/notes.c b/notes.c
index 75c028b300..3477e8e554 100644
--- a/notes.c
+++ b/notes.c
@@ -453,17 +453,17 @@ static void load_subtree(struct notes_tree *t, struct leaf_node *subtree,
 		l = xcalloc(1, sizeof(*l));
 		oidcpy(&l->key_oid, &object_oid);
 		oidcpy(&l->val_oid, &entry.oid);
 		if (note_tree_insert(t, node, n, l, type,
 				     combine_notes_concatenate))
 			die("Failed to load %s %s into notes tree "
 			    "from %s",
 			    type == PTR_TYPE_NOTE ? "note" : "subtree",
-			    oid_to_hex(&l->key_oid), t->ref);
+			    oid_to_hex(&object_oid), t->ref);
 
 		continue;
 
 handle_non_note:
 		/*
 		 * Determine full path for this non-note entry. The
 		 * filename is already found in entry.path, but the
 		 * directory part of the path must be deduced from the
-- 
2.23.0.478.g23872bed7d

Re: [PATCH] notes: avoid leaking duplicate entries

[Mike Hommey]

On Sun, Aug 25, 2019 at 02:18:18PM +0900, Mike Hommey wrote:
> When add_note is called multiple times with the same key/value pair, the
> leaf_node it creates is leaked by notes_tree_insert.

For completeness, since I realized it was missing:
Signed-off-by: Mike Hommey <mh@glandium.org>

Mike