From: Jeff King <peff@peff.net>
To: git@vger.kernel.org
Cc: "René Scharfe" <l.s.r@web.de>,
"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
Subject: Re: [RFC/PATCH 0/6] hash-object: use fsck to check objects
Date: Wed, 18 Jan 2023 20:39:55 -0500 [thread overview]
Message-ID: <Y8ifa7hyqxSbL92U@coredump.intra.peff.net> (raw)
In-Reply-To: <Y8hX+pIZUKXsyYj5@coredump.intra.peff.net>
On Wed, Jan 18, 2023 at 03:35:06PM -0500, Jeff King wrote:
> The other option is having the fsck code avoid looking past the size it
> was given. I think the intent is that this should work, from commits
> like 4d0d89755e (Make sure fsck_commit_buffer() does not run out of the
> buffer, 2014-09-11). We do use skip_prefix() and parse_oid_hex(), which
> won't respect the size, but I think[1] that's OK because we'll have
> parsed up to the end-of-header beforehand (and those functions would
> never match past there).
>
> Which would mean that 9a1a3a4d4c (mktag: allow omitting the header/body
> \n separator, 2021-01-05) and acf9de4c94 (mktag: use fsck instead of
> custom verify_tag(), 2021-01-05) were buggy, and we can just fix them.
>
> [1] But I said "I think" above because it can get pretty subtle. There's
> some more discussion in this thread:
>
> https://lore.kernel.org/git/20150625155128.C3E9738005C@gemini.denx.de/
>
> but I haven't yet convinced myself it's safe. This is exactly the
> kind of analysis I wish I had the power to nerd-snipe René into.
I poked at this a bit more, and it definitely isn't safe. I think the
use of skip_prefix(), etc, is OK, because they'd always stop at an
unexpected newline. But verify_headers() is only confirming that we have
a series of complete lines, and we might end with no "\n\n" (and hence
no commit/tag message). And so the obvious case that fools us is one
where the data simply ends at a newline, but we are missing one or more
headers. So a truncated commit like:
tree 1234567890123456789012345678901234567890
(with the newline at the end of the "tree" line, but nothing else) will
cause fsck_commit() to look past the "size" we pass it. With all of the
current callers, that means it sees a NUL and bails. So it's not
currently a bug, but it becomes one if we can feed it arbitrary buffers.
Fixing it isn't _too_ bad, and could look something like this:
diff --git a/fsck.c b/fsck.c
index c2c8facd2d..3f0bb3e350 100644
--- a/fsck.c
+++ b/fsck.c
@@ -834,6 +834,7 @@ static int fsck_commit(const struct object_id *oid,
unsigned author_count;
int err;
const char *buffer_begin = buffer;
+ const char *buffer_end = buffer + size;
const char *p;
if (verify_headers(buffer, size, oid, OBJ_COMMIT, options))
@@ -847,7 +848,7 @@ static int fsck_commit(const struct object_id *oid,
return err;
}
buffer = p + 1;
- while (skip_prefix(buffer, "parent ", &buffer)) {
+ while (buffer < buffer_end && skip_prefix(buffer, "parent ", &buffer)) {
if (parse_oid_hex(buffer, &parent_oid, &p) || *p != '\n') {
err = report(options, oid, OBJ_COMMIT, FSCK_MSG_BAD_PARENT_SHA1, "invalid 'parent' line format - bad sha1");
if (err)
@@ -856,7 +857,7 @@ static int fsck_commit(const struct object_id *oid,
buffer = p + 1;
}
author_count = 0;
- while (skip_prefix(buffer, "author ", &buffer)) {
+ while (buffer < buffer_end && skip_prefix(buffer, "author ", &buffer)) {
author_count++;
err = fsck_ident(&buffer, oid, OBJ_COMMIT, options);
if (err)
@@ -868,7 +869,7 @@ static int fsck_commit(const struct object_id *oid,
err = report(options, oid, OBJ_COMMIT, FSCK_MSG_MULTIPLE_AUTHORS, "invalid format - multiple 'author' lines");
if (err)
return err;
- if (!skip_prefix(buffer, "committer ", &buffer))
+ if (buffer >= buffer_end || !skip_prefix(buffer, "committer ", &buffer))
return report(options, oid, OBJ_COMMIT, FSCK_MSG_MISSING_COMMITTER, "invalid format - expected 'committer' line");
err = fsck_ident(&buffer, oid, OBJ_COMMIT, options);
if (err)
And then the tag side would need something similar. I'd probably also
sprinkle some comments in verify_headers() and its callers documenting
our assumptions and what's OK to do (string-like parsing functions work
as long as they stop when they hit a newline). That, plus a few tests
covering the problematic cases to avoid regressions, would probably be
OK.
I think fsck_tree() is mostly fine, as the tree-iterating code detects
truncation. Though I do find the use of strlen() in decode_tree_entry()
a little suspicious (and that would be true of the current code, as
well, since it powers hash-object's existing parsing check).
-Peff
next prev parent reply other threads:[~2023-01-19 1:48 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-18 20:35 [RFC/PATCH 0/6] hash-object: use fsck to check objects Jeff King
2023-01-18 20:35 ` [PATCH 1/6] t1007: modernize malformed object tests Jeff King
2023-01-18 21:13 ` Taylor Blau
2023-01-18 20:35 ` [PATCH 2/6] t1006: stop using 0-padded timestamps Jeff King
2023-01-18 20:36 ` [PATCH 3/6] t7030: stop using invalid tag name Jeff King
2023-01-18 20:41 ` [PATCH 4/6] t: use hash-object --literally when created malformed objects Jeff King
2023-01-18 21:19 ` Taylor Blau
2023-01-19 2:06 ` Jeff King
2023-01-18 20:43 ` [PATCH 5/6] fsck: provide a function to fsck buffer without object struct Jeff King
2023-01-18 21:24 ` Taylor Blau
2023-01-19 2:07 ` Jeff King
2023-01-18 20:44 ` [PATCH 6/6] hash-object: use fsck for object checks Jeff King
2023-01-18 21:34 ` Taylor Blau
2023-01-19 2:31 ` Jeff King
2023-02-01 12:50 ` Jeff King
2023-02-01 13:08 ` Ævar Arnfjörð Bjarmason
2023-02-01 20:41 ` Junio C Hamano
2023-01-18 20:46 ` [RFC/PATCH 0/6] hash-object: use fsck to check objects Jeff King
2023-01-18 20:59 ` Junio C Hamano
2023-01-18 21:38 ` Taylor Blau
2023-01-19 2:03 ` Jeff King
2023-01-19 1:39 ` Jeff King [this message]
2023-01-19 23:13 ` [PATCH 7/6] fsck: do not assume NUL-termination of buffers Jeff King
2023-01-19 23:58 ` Junio C Hamano
2023-01-21 9:36 ` [RFC/PATCH 0/6] hash-object: use fsck to check objects René Scharfe
2023-01-22 7:48 ` Jeff King
2023-01-22 11:39 ` René Scharfe
2023-02-01 14:06 ` Ævar Arnfjörð Bjarmason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y8ifa7hyqxSbL92U@coredump.intra.peff.net \
--to=peff@peff.net \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=l.s.r@web.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).