From: Taylor Blau <me@ttaylorr.com>
To: git@vger.kernel.org
Cc: Junio C Hamano <gitster@pobox.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Fabian Stelzer <fs@gigacodes.de>
Subject: [PATCH] fmt-merge-msg: prevent use-after-free with signed tags
Date: Mon, 10 Jan 2022 16:19:06 -0500 [thread overview]
Message-ID: <6e08b73d602853b3de71257117e85e32b96b5c19.1641849502.git.me@ttaylorr.com> (raw)
In-Reply-To: <YdxqshqXB/+ApOn2@nand.local>
When merging a signed tag, fmt_merge_msg_sigs() is responsible for
populating the body of the merge message with the names of the signed
tags, their signatures, and the validity of those signatures.
In 02769437e1 (ssh signing: use sigc struct to pass payload,
2021-12-09), check_signature() was taught to pass the object payload via
the sigc struct instead of passing the payload buffer separately.
In effect, 02769437e1 causes buf, and sigc.payload to point at the same
region in memory. This causes a problem for fmt_tag_signature(), which
wants to read from this location, since it is freed beforehand by
signature_check_clear() (which frees it via sigc's `payload` member).
That makes the subsequent use in fmt_tag_signature() a use-after-free.
As a result, merge messages did not contain the body of any signed tags.
Luckily, they tend not to contain garbage, either, since the result of
strstr()-ing the object buffer in fmt_tag_signature() is guarded:
const char *tag_body = strstr(buf, "\n\n");
if (tag_body) {
tag_body += 2;
strbuf_add(tagbuf, tag_body, buf + len - tag_body);
}
Unfortunately, the tests in t6200 did not catch this at the time because
they do not search for the body of signed tags in fmt-merge-msg's
output.
Resolve this by waiting to call signature_check_clear() until after its
contents can be safely discarded. Harden ourselves against any future
regressions in this area by making sure we can find signed tag messages
in the output of fmt-merge-msg, too.
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Taylor Blau <me@ttaylorr.com>
---
fmt-merge-msg.c | 2 +-
t/t6200-fmt-merge-msg.sh | 8 ++++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/fmt-merge-msg.c b/fmt-merge-msg.c
index e5c0aff2bf..baca57d5b6 100644
--- a/fmt-merge-msg.c
+++ b/fmt-merge-msg.c
@@ -541,7 +541,6 @@ static void fmt_merge_msg_sigs(struct strbuf *out)
else
strbuf_addstr(&sig, sigc.output);
}
- signature_check_clear(&sigc);
if (!tag_number++) {
fmt_tag_signature(&tagbuf, &sig, buf, len);
@@ -565,6 +564,7 @@ static void fmt_merge_msg_sigs(struct strbuf *out)
}
strbuf_release(&payload);
strbuf_release(&sig);
+ signature_check_clear(&sigc);
next:
free(origbuf);
}
diff --git a/t/t6200-fmt-merge-msg.sh b/t/t6200-fmt-merge-msg.sh
index 7544245f90..5a221f8ef1 100755
--- a/t/t6200-fmt-merge-msg.sh
+++ b/t/t6200-fmt-merge-msg.sh
@@ -126,6 +126,7 @@ test_expect_success GPG 'message for merging local tag signed by good key' '
git fetch . signed-good-tag &&
git fmt-merge-msg <.git/FETCH_HEAD >actual &&
grep "^Merge tag ${apos}signed-good-tag${apos}" actual &&
+ grep "^signed-tag-msg" actual &&
grep "^# gpg: Signature made" actual &&
grep "^# gpg: Good signature from" actual
'
@@ -135,6 +136,7 @@ test_expect_success GPG 'message for merging local tag signed by unknown key' '
git fetch . signed-good-tag &&
GNUPGHOME=. git fmt-merge-msg <.git/FETCH_HEAD >actual &&
grep "^Merge tag ${apos}signed-good-tag${apos}" actual &&
+ grep "^signed-tag-msg" actual &&
grep "^# gpg: Signature made" actual &&
grep -E "^# gpg: Can${apos}t check signature: (public key not found|No public key)" actual
'
@@ -145,6 +147,7 @@ test_expect_success GPGSSH 'message for merging local tag signed by good ssh key
git fetch . signed-good-ssh-tag &&
git fmt-merge-msg <.git/FETCH_HEAD >actual &&
grep "^Merge tag ${apos}signed-good-ssh-tag${apos}" actual &&
+ grep "^signed-ssh-tag-msg" actual &&
grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual &&
! grep "${GPGSSH_BAD_SIGNATURE}" actual
'
@@ -155,6 +158,7 @@ test_expect_success GPGSSH 'message for merging local tag signed by unknown ssh
git fetch . signed-untrusted-ssh-tag &&
git fmt-merge-msg <.git/FETCH_HEAD >actual &&
grep "^Merge tag ${apos}signed-untrusted-ssh-tag${apos}" actual &&
+ grep "^signed-ssh-tag-msg-untrusted" actual &&
grep "${GPGSSH_GOOD_SIGNATURE_UNTRUSTED}" actual &&
! grep "${GPGSSH_BAD_SIGNATURE}" actual &&
grep "${GPGSSH_KEY_NOT_TRUSTED}" actual
@@ -166,6 +170,7 @@ test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag sign
git fetch . expired-signed &&
git fmt-merge-msg <.git/FETCH_HEAD >actual &&
grep "^Merge tag ${apos}expired-signed${apos}" actual &&
+ grep "^expired-signed" actual &&
! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual
'
@@ -175,6 +180,7 @@ test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag sign
git fetch . notyetvalid-signed &&
git fmt-merge-msg <.git/FETCH_HEAD >actual &&
grep "^Merge tag ${apos}notyetvalid-signed${apos}" actual &&
+ grep "^notyetvalid-signed" actual &&
! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual
'
@@ -184,6 +190,7 @@ test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag sign
git fetch . timeboxedvalid-signed &&
git fmt-merge-msg <.git/FETCH_HEAD >actual &&
grep "^Merge tag ${apos}timeboxedvalid-signed${apos}" actual &&
+ grep "^timeboxedvalid-signed" actual &&
grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual &&
! grep "${GPGSSH_BAD_SIGNATURE}" actual
'
@@ -194,6 +201,7 @@ test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag sign
git fetch . timeboxedinvalid-signed &&
git fmt-merge-msg <.git/FETCH_HEAD >actual &&
grep "^Merge tag ${apos}timeboxedinvalid-signed${apos}" actual &&
+ grep "^timeboxedinvalid-signed" actual &&
! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual
'
--
2.34.1.455.gd6eb6fd089
next prev parent reply other threads:[~2022-01-10 21:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-10 16:42 git ssh signing changed broke tag merge message contents Linus Torvalds
2022-01-10 17:19 ` Taylor Blau
2022-01-10 17:22 ` Linus Torvalds
2022-01-10 17:31 ` Junio C Hamano
2022-01-10 21:19 ` Taylor Blau [this message]
2022-01-10 21:38 ` [PATCH] fmt-merge-msg: prevent use-after-free with signed tags Junio C Hamano
2022-01-11 8:41 ` Fabian Stelzer
2022-01-11 15:42 ` Taylor Blau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6e08b73d602853b3de71257117e85e32b96b5c19.1641849502.git.me@ttaylorr.com \
--to=me@ttaylorr.com \
--cc=fs@gigacodes.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).