remote-curl: segfault parsing remote.<name>.fetch outside a repository

git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed

From: Jo Liss <joliss42@gmail.com>
To: git@vger.kernel.org
Subject: remote-curl: segfault parsing remote.<name>.fetch outside a repository
Date: Sat, 21 Mar 2026 19:11:18 +0000	[thread overview]
Message-ID: <CAN=xy38zCRdOAnMtBXtRyUHE=+gtS8J6mwUWFQqxDAaBLAm7dA@mail.gmail.com> (raw)

Hi mailing list,

I ran into a bug and thought I'd report it! The following command
segfaults for me (where ~/src/git is my clone):

env -C / \
    GIT_CONFIG_NOSYSTEM=1 \
    GIT_CONFIG_GLOBAL=/dev/null \
    GIT_CONFIG_COUNT=1 \
    GIT_CONFIG_KEY_0=remote.repro.fetch \
    GIT_CONFIG_VALUE_0='+refs/tags/*:refs/tags/*' \
    ~/src/git/git-remote-http repro

In other words, this is happening when the shared remote-curl code
(here, git-remote-http) is called outside of any repository, while
`remote.<name>.fetch` is set.

I can reproduce this on Ubuntu and macOS, with git master
(7ff1e8dc1e16) and git 2.51.0.

The way I actually ran into this was by running `git ls-remote -h
<url>` outside of a git repository, and my `remote.origin.fetch` is
globally set to `+refs/tags/*:refs/tags/*`.

Here's a backtrace:

~/src/git $ make clean && make DEVELOPER=1 CFLAGS='-g -O0 -Wall'
...
~/src/git $ env -C / \
  GIT_CONFIG_NOSYSTEM=1 \
  GIT_CONFIG_GLOBAL=/dev/null \
  GIT_CONFIG_COUNT=1 \
  GIT_CONFIG_KEY_0=remote.repro.fetch \
  GIT_CONFIG_VALUE_0='+refs/tags/*:refs/tags/*' \
  gdb -q -batch \
  -ex 'set debuginfod enabled off' \
  -ex 'set startup-with-shell off' \
  -ex run \
  -ex 'bt full' \
  --args ~/src/git/git-remote-http repro
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/aarch64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
parse_refspec (item=0xffffffffda88, refspec=0xaaaaaadf0650
"+refs/tags/*:refs/tags/*", fetch=1) at refspec.c:104
104 else if (llen == the_hash_algo->hexsz && !get_oid_hex(item->src, &unused))
#0  parse_refspec (item=0xffffffffda88, refspec=0xaaaaaadf0650
"+refs/tags/*:refs/tags/*", fetch=1) at refspec.c:104
        unused = {hash = "
\nߪ\252\252\000\000\031\000\000\000\000\000\000\000
\332\377\377\377\377\000\000\300Iʪ\252\252\000", algo = 2866743840}
        llen = 11
        is_glob = 1
        lhs = 0xaaaaaadf0651 "refs/tags/*:refs/tags/*"
        rhs = 0xaaaaaadf065d "refs/tags/*"
        flags = 3
#1  0x0000aaaaaaca49dc in refspec_item_init (item=0xffffffffda88,
refspec=0xaaaaaadf0650 "+refs/tags/*:refs/tags/*", fetch=1) at
refspec.c:161
No locals.
#2  0x0000aaaaaaca4a04 in refspec_item_init_fetch
(item=0xffffffffda88, refspec=0xaaaaaadf0650
"+refs/tags/*:refs/tags/*") at refspec.c:166
No locals.
#3  0x0000aaaaaaca4c08 in refspec_append (rs=0xaaaaaadf0a90,
refspec=0xaaaaaadf0650 "+refs/tags/*:refs/tags/*") at refspec.c:203
        item = {force = 1, pattern = 1, matching = 0, exact_sha1 = 0,
negative = 0, src = 0xaaaaaadd49d0 "refs/tags/*", dst = 0xaaaaaadd4b90
"refs/tags/*", raw = 0xaaaaaadf0b20 "+refs/tags/*:refs/tags/*"}
        ret = 43690
#4  0x0000aaaaaab64c00 in handle_config (key=0xaaaaaadd4810
"remote.repro.fetch", value=0xaaaaaadf06d0 "+refs/tags/*:refs/tags/*",
ctx=0xffffffffdb80, cb=0xaaaaaadeeb70) at remote.c:528
        v = 0xaaaaaadf0650 "+refs/tags/*:refs/tags/*"
        name = 0xaaaaaadd4817 "repro.fetch"
        namelen = 5
        subkey = 0xaaaaaadd481d "fetch"
        remote = 0xaaaaaadf0a20
        branch = 0xaaaaaab98654 <cmp_strmap_entry>
        remote_state = 0xaaaaaadeeb70
        kvi = 0xaaaaaadd48f0
#5  0x0000aaaaaaac12f0 in configset_iter (set=0xaaaaaadeeb20,
fn=0xaaaaaab645e4 <handle_config>, data=0xaaaaaadeeb70) at
config.c:1639
        i = 0
        value_index = 0
        values = 0xaaaaaadf0698
        entry = 0xaaaaaadf0680
        list = 0xaaaaaadeeb58
        ctx = {kvi = 0xaaaaaadd48f0}
#6  0x0000aaaaaaac3134 in repo_config (repo=0xaaaaaadc9e70 <the_repo>,
fn=0xaaaaaab645e4 <handle_config>, data=0xaaaaaadeeb70) at
config.c:2300
No locals.
#7  0x0000aaaaaab6537c in read_config (repo=0xaaaaaadc9e70 <the_repo>,
early=0) at remote.c:637
        flag = 0
#8  0x0000aaaaaab65b3c in remote_get (name=0xffffffffe465 "repro") at
remote.c:823
No locals.
#9  0x0000aaaaaaab2164 in cmd_main (argc=2, argv=0xffffffffde88) at
remote-curl.c:1568
        buf = {alloc = 0, len = 0, buf = 0xaaaaaadca368 <strbuf_slopbuf> ""}
        nongit = 1
        ret = 1
#10 0x0000aaaaaaabc688 in main (argc=2, argv=0xffffffffde88) at common-main.c:9
        result = 65535

It looks like the immediate crash is in `parse_refspec()`, where
`the_hash_algo->hexsz` is dereferenced while
`the_repository->hash_algo` is still NULL.

Best,
Jo

next             reply	other threads:[~2026-03-21 19:12 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-21 19:11 Jo Liss [this message]
2026-03-21 19:46 ` [PATCH] remote-curl: set fallback hash algorithm outside repo K Jayatheerth
2026-03-21 23:09   ` brian m. carlson
2026-03-22  2:35   ` [PATCH v2] refspec: safely parse refspecs outside a repository K Jayatheerth
2026-03-22  3:31     ` Junio C Hamano
2026-03-22  3:53     ` Jeff King
2026-03-22  5:36     ` [PATCH v3 1/2] " K Jayatheerth
2026-03-22  5:36       ` [PATCH v3 2/2] refspec: fix typo in comment K Jayatheerth
2026-03-23 22:27       ` [PATCH v3 1/2] refspec: safely parse refspecs outside a repository Junio C Hamano
2026-03-23 23:10         ` Jeff King
2026-03-23 23:39           ` Junio C Hamano
2026-03-24  1:57     ` [PATCH v4 1/2] remote-curl: fall back to default hash outside repo K Jayatheerth
2026-03-24  1:57       ` [PATCH v4 2/2] refspec: fix typo in comment K Jayatheerth
2026-03-24  4:25       ` [PATCH v4 1/2] remote-curl: fall back to default hash outside repo Junio C Hamano
2026-03-21 21:06 ` remote-curl: segfault parsing remote.<name>.fetch outside a repository Jeff King
2026-03-22  1:20   ` Junio C Hamano
2026-03-22  1:37     ` Jeff King

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAN=xy38zCRdOAnMtBXtRyUHE=+gtS8J6mwUWFQqxDAaBLAm7dA@mail.gmail.com' \
    --to=joliss42@gmail.com \
    --cc=git@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).