From: Jeff King <peff@peff.net>
To: git@vger.kernel.org
Subject: [PATCH 5/5] packfile: detect overflow in .idx file size checks
Date: Fri, 13 Nov 2020 00:07:19 -0500 [thread overview]
Message-ID: <20201113050719.GE744691@coredump.intra.peff.net> (raw)
In-Reply-To: <20201113050631.GA744608@coredump.intra.peff.net>
In load_idx(), we check that the .idx file is sized appropriately for
the number of objects it claims to have. We recently fixed the case
where the number of objects caused our expected size to overflow a
32-bit unsigned int, and we switched to size_t.
On a 64-bit system, this is fine; our size_t covers any expected size.
On a 32-bit system, though, it won't. The file may claim to have 2^31
objects, which will overflow even a size_t.
This doesn't hurt us at all for a well-formed idx file. A 32-bit system
would already have failed to mmap such a file, since it would be too
big. But an .idx file which _claims_ to have 2^31 objects but is
actually much smaller would fool our check.
This is a broken file, and for the most part we don't care that much
what happens. But:
- it's a little friendlier to notice up front "woah, this file is
broken" than it is to get nonsense results
- later access of the data assumes that the loading function
sanity-checked that we have at least enough bytes for the regular
object-id table. A malformed .idx file could lead to an
out-of-bounds read.
So let's use our overflow-checking functions to make sure that we're not
fooled by a malformed file.
Signed-off-by: Jeff King <peff@peff.net>
---
packfile.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/packfile.c b/packfile.c
index 63fe9ee8be..9702b1218b 100644
--- a/packfile.c
+++ b/packfile.c
@@ -148,7 +148,7 @@ int load_idx(const char *path, const unsigned int hashsz, void *idx_map,
* - hash of the packfile
* - file checksum
*/
- if (idx_size != 4 * 256 + (size_t)nr * (hashsz + 4) + hashsz + hashsz)
+ if (idx_size != st_add(4 * 256 + hashsz + hashsz, st_mult(nr, hashsz + 4)))
return error("wrong index v1 file size in %s", path);
} else if (version == 2) {
/*
@@ -164,10 +164,10 @@ int load_idx(const char *path, const unsigned int hashsz, void *idx_map,
* variable sized table containing 8-byte entries
* for offsets larger than 2^31.
*/
- size_t min_size = 8 + 4*256 + (size_t)nr*(hashsz + 4 + 4) + hashsz + hashsz;
+ size_t min_size = st_add(8 + 4*256 + hashsz + hashsz, st_mult(nr, hashsz + 4 + 4));
size_t max_size = min_size;
if (nr)
- max_size += ((size_t)nr - 1)*8;
+ max_size = st_add(max_size, st_mult(nr - 1, 8));
if (idx_size < min_size || idx_size > max_size)
return error("wrong index v2 file size in %s", path);
if (idx_size != min_size &&
--
2.29.2.705.g306f91dc4e
next prev parent reply other threads:[~2020-11-13 5:07 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-13 5:06 [PATCH 0/5] handling 4GB .idx files Jeff King
2020-11-13 5:06 ` [PATCH 1/5] compute pack .idx byte offsets using size_t Jeff King
2020-11-13 5:07 ` [PATCH 2/5] use size_t to store pack .idx byte offsets Jeff King
2020-11-13 5:07 ` [PATCH 3/5] fsck: correctly compute checksums on idx files larger than 4GB Jeff King
2020-11-13 5:07 ` [PATCH 4/5] block-sha1: take a size_t length parameter Jeff King
2020-11-13 5:07 ` Jeff King [this message]
2020-11-13 11:02 ` [PATCH 5/5] packfile: detect overflow in .idx file size checks Johannes Schindelin
2020-11-15 14:43 ` [PATCH 0/5] handling 4GB .idx files Thomas Braun
2020-11-16 4:10 ` Jeff King
2020-11-16 13:30 ` Derrick Stolee
2020-11-16 23:49 ` Jeff King
2020-11-30 22:57 ` Thomas Braun
2020-12-01 11:23 ` Jeff King
2020-12-01 11:39 ` t7900's new expensive test Jeff King
2020-12-01 20:55 ` Derrick Stolee
2020-12-02 2:47 ` [PATCH] t7900: speed up " Jeff King
2020-12-03 15:23 ` Derrick Stolee
2020-12-01 18:27 ` [PATCH 0/5] handling 4GB .idx files Taylor Blau
2020-12-02 13:12 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201113050719.GE744691@coredump.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).