From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.6 Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by dcvr.yhbt.net (Postfix) with ESMTP id 3C4F71F47C for ; Sun, 22 Jan 2023 22:02:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230358AbjAVWCK (ORCPT ); Sun, 22 Jan 2023 17:02:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37092 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230148AbjAVWCJ (ORCPT ); Sun, 22 Jan 2023 17:02:09 -0500 Received: from cloud.peff.net (cloud.peff.net [104.130.231.41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 829DF15C90 for ; Sun, 22 Jan 2023 14:02:08 -0800 (PST) Received: (qmail 7601 invoked by uid 109); 22 Jan 2023 22:02:08 -0000 Received: from Unknown (HELO peff.net) (10.0.1.2) by cloud.peff.net (qpsmtpd/0.94) with ESMTP; Sun, 22 Jan 2023 22:02:08 +0000 Authentication-Results: cloud.peff.net; auth=none Received: (qmail 922 invoked by uid 111); 22 Jan 2023 22:02:09 -0000 Received: from coredump.intra.peff.net (HELO sigill.intra.peff.net) (10.0.0.2) by peff.net (qpsmtpd/0.94) with (TLS_AES_256_GCM_SHA384 encrypted) ESMTPS; Sun, 22 Jan 2023 17:02:09 -0500 Authentication-Results: peff.net; auth=none Date: Sun, 22 Jan 2023 17:02:06 -0500 From: Jeff King To: =?utf-8?B?UmVuw6k=?= Scharfe Cc: Git List , Junio C Hamano , =?utf-8?B?w4Z2YXIgQXJuZmrDtnLDsA==?= Bjarmason Subject: Re: [PATCH] tree-walk: disallow overflowing modes Message-ID: References: <044bdc8f-fdc9-dfd2-6cbb-941513467524@web.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <044bdc8f-fdc9-dfd2-6cbb-941513467524@web.de> Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org On Sun, Jan 22, 2023 at 11:03:38AM +0100, René Scharfe wrote: > Am 22.01.23 um 08:50 schrieb Jeff King: > > On Sat, Jan 21, 2023 at 10:36:09AM +0100, René Scharfe wrote: > > > >> When parsing tree entries, reject mode values that don't fit into an > >> unsigned int. > > > > Seems reasonable. I don't think you can cause any interesting mischief > > here, but it's cheap to check, and finding data problems earlier rather > > than later is always good. > > > > Should it be s/unsigned int/uint16_t/, though? > > "mode" is declared as unsigned int, and I was more concerned with > overflowing that. Doh, I just did "vim -t get_mode" and ended up in the near-identical version in fast-import.c, which uses uint16_t. Maybe it would want the same treatment. ;) > We could be more strict and reject everything that oversteps > S_IFMT|ALLPERMS, but the latter is not defined everywhere. But > permission bits are well-known, so the magic number 07777 should be > recognizable enough. Like this? It feels like this level of check should be happening in the fsck caller. In particular, it's nice for this parsing layer to err on the forgiving side, because the way you get out of these situations often involves something like "git ls-tree | git mktree". So in that sense, even pushing the overflow detection into the fsck would be nice, but of course it's hard to do, since we have no way to represent the overflowed value. I guess we could have a "be more careful" flag that the fsck code would pass, but I'm not sure it's worth the added complexity. -Peff