From: Michael Haggerty <mhagger@alum.mit.edu>
To: Jeff King <peff@peff.net>
Cc: Junio C Hamano <gitster@pobox.com>, git@vger.kernel.org
Subject: Re: [PATCH] lockfile: fix buffer overflow in path handling
Date: Sun, 07 Jul 2013 12:25:41 +0200 [thread overview]
Message-ID: <51D94225.1010803@alum.mit.edu> (raw)
In-Reply-To: <20130707041236.GB30898@sigill.intra.peff.net>
On 07/07/2013 06:12 AM, Jeff King wrote:
> On Sat, Jul 06, 2013 at 09:48:52PM +0200, Michael Haggerty wrote:
>
>> When and if resolve_symlink() is called, then that function is
>> correctly told to treat the buffer as (PATH_MAX - 5) characters long.
>> This part is correct. However:
>>
>> * If LOCK_NODEREF was specified, then resolve_symlink() is never
>> called.
>>
>> * If resolve_symlink() is called but the path is not a symlink, then
>> the length check is never applied.
>>
>> So it is possible for a path with length (PATH_MAX - 5 <= len <
>> PATH_MAX) to make it through the checks. When ".lock" is strcat()ted
>> to such a path, the lock_file::filename buffer is overflowed.
>
> Thanks for posting this. I independently discovered this about a month
> ago while working on an unrelated series, and then let it languish
> unseen and forgotten at the base of that almost-done series.
>
> So definitely a problem, and my patch looked almost identical to
> yours. The only difference is:
>
>> static int lock_file(struct lock_file *lk, const char *path, int flags)
>> {
>> - if (strlen(path) >= sizeof(lk->filename))
>> - return -1;
>> - strcpy(lk->filename, path);
>> /*
>> * subtract 5 from size to make sure there's room for adding
>> * ".lock" for the lock file name
>> */
>> + if (strlen(path) >= sizeof(lk->filename)-5)
>> + return -1;
>> + strcpy(lk->filename, path);
>> if (!(flags & LOCK_NODEREF))
>> resolve_symlink(lk->filename, sizeof(lk->filename)-5);
>
> It might be worth consolidating the magic "-5" into a constant near the
> comment, like this:
>
> diff --git a/lockfile.c b/lockfile.c
> index c6fb77b..2aeb2bb 100644
> --- a/lockfile.c
> +++ b/lockfile.c
> @@ -124,15 +124,16 @@ static int lock_file(struct lock_file *lk, const char *path, int flags)
>
> static int lock_file(struct lock_file *lk, const char *path, int flags)
> {
> - if (strlen(path) >= sizeof(lk->filename))
> - return -1;
> - strcpy(lk->filename, path);
> /*
> * subtract 5 from size to make sure there's room for adding
> * ".lock" for the lock file name
> */
> + static const size_t max_path_len = sizeof(lk->filename) - 5;
> + if (strlen(path) >= max_path_len)
> + return -1;
> + strcpy(lk->filename, path);
> if (!(flags & LOCK_NODEREF))
> - resolve_symlink(lk->filename, sizeof(lk->filename)-5);
> + resolve_symlink(lk->filename, max_path_len);
> strcat(lk->filename, ".lock");
> lk->fd = open(lk->filename, O_RDWR | O_CREAT | O_EXCL, 0666);
> if (0 <= lk->fd) {
>
> But either way, the fix looks good to me.
Yes, the constant is an improvement and Peff's version is also fine with me.
Michael
--
Michael Haggerty
mhagger@alum.mit.edu
http://softwareswirl.blogspot.com/
next prev parent reply other threads:[~2013-07-07 10:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-06 19:48 [PATCH] lockfile: fix buffer overflow in path handling Michael Haggerty
2013-07-07 4:12 ` Jeff King
2013-07-07 10:25 ` Michael Haggerty [this message]
2013-07-07 17:29 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51D94225.1010803@alum.mit.edu \
--to=mhagger@alum.mit.edu \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).