* [PATCH] notes: avoid leaking duplicate entries
@ 2019-08-25 5:18 Mike Hommey
2019-08-25 7:10 ` Jeff King
2019-08-26 1:55 ` [PATCH] notes: avoid leaking duplicate entries Mike Hommey
0 siblings, 2 replies; 4+ messages in thread
From: Mike Hommey @ 2019-08-25 5:18 UTC (permalink / raw)
To: git; +Cc: gitster
When add_note is called multiple times with the same key/value pair, the
leaf_node it creates is leaked by notes_tree_insert.
---
notes.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/notes.c b/notes.c
index 75c028b300..ec35f5b551 100644
--- a/notes.c
+++ b/notes.c
@@ -269,8 +269,10 @@ static int note_tree_insert(struct notes_tree *t, struct int_node *tree,
case PTR_TYPE_NOTE:
if (oideq(&l->key_oid, &entry->key_oid)) {
/* skip concatenation if l == entry */
- if (oideq(&l->val_oid, &entry->val_oid))
+ if (oideq(&l->val_oid, &entry->val_oid)) {
+ free(entry);
return 0;
+ }
ret = combine_notes(&l->val_oid,
&entry->val_oid);
--
2.23.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] notes: avoid leaking duplicate entries
2019-08-25 5:18 [PATCH] notes: avoid leaking duplicate entries Mike Hommey
@ 2019-08-25 7:10 ` Jeff King
2019-08-25 7:19 ` [PATCH] notes: avoid potential use-after-free during insertion Jeff King
2019-08-26 1:55 ` [PATCH] notes: avoid leaking duplicate entries Mike Hommey
1 sibling, 1 reply; 4+ messages in thread
From: Jeff King @ 2019-08-25 7:10 UTC (permalink / raw)
To: Mike Hommey; +Cc: git, gitster
On Sun, Aug 25, 2019 at 02:18:18PM +0900, Mike Hommey wrote:
> When add_note is called multiple times with the same key/value pair, the
> leaf_node it creates is leaked by notes_tree_insert.
Makes sense.
> diff --git a/notes.c b/notes.c
> index 75c028b300..ec35f5b551 100644
> --- a/notes.c
> +++ b/notes.c
> @@ -269,8 +269,10 @@ static int note_tree_insert(struct notes_tree *t, struct int_node *tree,
> case PTR_TYPE_NOTE:
> if (oideq(&l->key_oid, &entry->key_oid)) {
> /* skip concatenation if l == entry */
> - if (oideq(&l->val_oid, &entry->val_oid))
> + if (oideq(&l->val_oid, &entry->val_oid)) {
> + free(entry);
> return 0;
> + }
"entry" is passed in by the caller. Does anybody try to insert, and then
after the insertion continue to access the entry?
The only case I could find is this one in load_subtree():
if (note_tree_insert(t, node, n, l, type,
combine_notes_concatenate))
die("Failed to load %s %s into notes tree "
"from %s",
type == PTR_TYPE_NOTE ? "note" : "subtree",
oid_to_hex(&l->key_oid), t->ref);
If we fail to insert, we'll try to access the key_oid of the entry we
passed in, which might have been freed. But your patch is OK, because it
only touches a code path where we always return success.
Curiously, I think the existing case a few lines below your patch is
wrong, though:
ret = combine_notes(&l->val_oid,
&entry->val_oid);
if (!ret && is_null_oid(&l->val_oid))
note_tree_remove(t, tree, n, entry);
free(entry);
return ret;
If combining the notes fails, we'll free the entry and return an error
code, and then load_subtree() will access the freed memory. I think we
could just object_oid instead.
-Peff
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] notes: avoid potential use-after-free during insertion
2019-08-25 7:10 ` Jeff King
@ 2019-08-25 7:19 ` Jeff King
0 siblings, 0 replies; 4+ messages in thread
From: Jeff King @ 2019-08-25 7:19 UTC (permalink / raw)
To: Mike Hommey; +Cc: git, gitster
On Sun, Aug 25, 2019 at 03:10:35AM -0400, Jeff King wrote:
> Curiously, I think the existing case a few lines below your patch is
> wrong, though:
>
> ret = combine_notes(&l->val_oid,
> &entry->val_oid);
> if (!ret && is_null_oid(&l->val_oid))
> note_tree_remove(t, tree, n, entry);
> free(entry);
> return ret;
>
> If combining the notes fails, we'll free the entry and return an error
> code, and then load_subtree() will access the freed memory. I think we
> could just object_oid instead.
Here's a patch. It's textually independent of yours, but I think it
makes sense to apply the two on a single branch.
No test, as I didn't bother to figure out what it takes to trigger the
error message, and the solution is (hopefully) an obvious improvement
even if it can't be triggered in practice.
-- >8 --
Subject: [PATCH] notes: avoid potential use-after-free during insertion
The note_tree_insert() function may free the leaf_node struct we pass in
(e.g., if it's a duplicate, or if it needs to be combined with an
existing note).
Most callers are happy with this, as they assume that ownership of the
struct is handed off. But in load_subtree(), if we see an error we'll
use the handed-off struct's key_oid to generate the die() message,
potentially accessing freed memory.
We can easily fix this by instead using the original oid that we copied
into the leaf_node struct.
Signed-off-by: Jeff King <peff@peff.net>
---
notes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/notes.c b/notes.c
index 75c028b300..3477e8e554 100644
--- a/notes.c
+++ b/notes.c
@@ -453,17 +453,17 @@ static void load_subtree(struct notes_tree *t, struct leaf_node *subtree,
l = xcalloc(1, sizeof(*l));
oidcpy(&l->key_oid, &object_oid);
oidcpy(&l->val_oid, &entry.oid);
if (note_tree_insert(t, node, n, l, type,
combine_notes_concatenate))
die("Failed to load %s %s into notes tree "
"from %s",
type == PTR_TYPE_NOTE ? "note" : "subtree",
- oid_to_hex(&l->key_oid), t->ref);
+ oid_to_hex(&object_oid), t->ref);
continue;
handle_non_note:
/*
* Determine full path for this non-note entry. The
* filename is already found in entry.path, but the
* directory part of the path must be deduced from the
--
2.23.0.478.g23872bed7d
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] notes: avoid leaking duplicate entries
2019-08-25 5:18 [PATCH] notes: avoid leaking duplicate entries Mike Hommey
2019-08-25 7:10 ` Jeff King
@ 2019-08-26 1:55 ` Mike Hommey
1 sibling, 0 replies; 4+ messages in thread
From: Mike Hommey @ 2019-08-26 1:55 UTC (permalink / raw)
To: git; +Cc: gitster
On Sun, Aug 25, 2019 at 02:18:18PM +0900, Mike Hommey wrote:
> When add_note is called multiple times with the same key/value pair, the
> leaf_node it creates is leaked by notes_tree_insert.
For completeness, since I realized it was missing:
Signed-off-by: Mike Hommey <mh@glandium.org>
Mike
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-08-26 1:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-25 5:18 [PATCH] notes: avoid leaking duplicate entries Mike Hommey
2019-08-25 7:10 ` Jeff King
2019-08-25 7:19 ` [PATCH] notes: avoid potential use-after-free during insertion Jeff King
2019-08-26 1:55 ` [PATCH] notes: avoid leaking duplicate entries Mike Hommey
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).