git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: Jinoh Kang <luke1337@theori.io>
To: Junio C Hamano <junio@pobox.com>, git@vger.kernel.org
Cc: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Subject: [PATCH v2] diff: handle NULL filespecs in run_external_diff
Date: Fri, 6 Nov 2020 17:02:19 +0000	[thread overview]
Message-ID: <a0513d6f-1f69-683d-d6c5-75b17b8b6890@theori.io> (raw)
In-Reply-To: <xmqq4km4lppy.fsf@gitster.c.googlers.com>

[forwarding from git-security@googlegroups.com to git@vger.kernel.org]

On 11/4/20 10:30 PM, Junio C Hamano wrote:
> Jinoh Kang <luke1337@theori.io> writes:
> 
>> `one` and `two` can be NULL when comparing an unmerged pair.
>> There is a conditional above that already tests for this.
>>
>> Fixes: 3aef54e8b8 ("diff: munmap() file contents before running external diff")
>> Signed-off-by: Jinoh Kang <luke1337@theori.io>
>> ---
>>  diff.c              |  6 ++++--
>>  t/t7800-difftool.sh | 23 +++++++++++++++++++++++
>>  2 files changed, 27 insertions(+), 2 deletions(-)
>>
>> diff --git a/diff.c b/diff.c
>> index d24f47df99..ae1ec2d6c8 100644
>> --- a/diff.c
>> +++ b/diff.c
>> @@ -4267,8 +4267,10 @@ static void run_external_diff(const char *pgm,
>>  	strvec_pushf(&env, "GIT_DIFF_PATH_COUNTER=%d", ++o->diff_path_counter);
>>  	strvec_pushf(&env, "GIT_DIFF_PATH_TOTAL=%d", q->nr);
>>  
>> -	diff_free_filespec_data(one);
>> -	diff_free_filespec_data(two);
>> +	if (one)
>> +		diff_free_filespec_data(one);
>> +	if (two)
>> +		diff_free_filespec_data(two);
>>  	if (run_command_v_opt_cd_env(argv.v, RUN_USING_SHELL, NULL, env.v))
>>  		die(_("external diff died, stopping at %s"), name);
> 
> Have you considered allowing diff_free_filespec_data() to take NULL
> and return safely without doing anything?

Yes, I have. In fact, this kind of behavior is exactly what I would
expect from a function that "frees" something.  However, I was not
entirely sure if this applies here, for several reasons that follow:

> That models after free() and other "we are done with the resource
> and it is time to clean it up" functions,

This corresponds to `free_filespec`. In this particular case,
I strongly agree that it makes perfect sense to do nothing when
passed a NULL pointer.

However, I humbly opine that the free() semantics do not apply to
`diff_free_filespec_data`; rather, I prefer to see it as a function
that simply transitions a diff_filespec from one state to another.

For this reason, I'd consider the act of passing NULL to
diff_free_filespec_data as a bug in the first place.  Further,
if it does not entail a security issue, why not just crash *right
now* rather than (possibly) causing more obscure bugs later?

I would put the blame on its name, since "data" feels too generic
and makes the function sound like freeing the filespec _itself_.
diff_filespec carries a lot of other things besides just `data`
and `cnt_data`.

Please feel free to correct me if I'm wrong; after all, I am not
exactly one of the long-time maintainers.

> fixes this particular bug, and possibly simplifies existing
> callers that check the NULL-ness before calling it.

I was unable to find any callsites that explicitly check for
NULL-ness _immediately_ before calling diff_free_filespec_data.
Excluding 3aef54e8b8, `GCC -fanalyze` suggests to me that
all the callers have already dereferenced the pointer by the time
the call is made; therefore, a NULL pointer dereference would have
already happened before the flow could even get to
the diff_free_filespec_data function.

The NULL checks are usually placed in the beginning of caller
functions rather than close to the exit path (which then calls
diff_free_filespec_data).

> 
>> diff --git a/t/t7800-difftool.sh b/t/t7800-difftool.sh
>> index 524f30f7dc..8cc1c9117c 100755
>> --- a/t/t7800-difftool.sh
>> +++ b/t/t7800-difftool.sh
>> @@ -728,6 +728,29 @@ test_expect_success 'add -N and difftool -d' '
>>  	git difftool --dir-diff --extcmd ls
>>  '
>>  
>> +test_expect_success 'difftool --cached with unmerged files' '
>> +	test_when_finished git reset --hard &&
>> +	echo base > file &&
> 
> Style.  "echo base >file &&" (no SP between redirect operator and
> its target).

My bad. Thanks!

> 
> I do not think this is "security" matter.  I do appreciate you
> erring on the side of being cautious and sending the patch first
> here, but please take it to the regular mailing list.

Yes, no sensible web-based git browser would prepare a working tree,
start a conflicting merge *AND* run an external diff on it...

> 
> Thanks.
> 

-- 
Jinoh Kang
Theori

       reply	other threads:[~2020-11-06 17:02 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <aeb24944-17af-cf53-93f4-e727f9fe9988@theori.io>
     [not found] ` <xmqq4km4lppy.fsf@gitster.c.googlers.com>
2020-11-06 17:02   ` Jinoh Kang [this message]
2020-11-06 17:14     ` [PATCH v3] diff: make diff_free_filespec_data accept NULL Jinoh Kang
2020-11-10 12:08       ` Johannes Schindelin
2020-11-10 13:16         ` Jinoh Kang
2020-11-10 14:21         ` Jinoh Kang
2020-11-10 17:02         ` Junio C Hamano
2020-11-10 14:06       ` [PATCH v4] " Jinoh Kang
2020-11-10 15:38         ` Johannes Schindelin
2020-11-11 12:30           ` Jinoh Kang
2020-11-11 16:28             ` Johannes Schindelin
2020-11-10 19:41         ` Junio C Hamano
2020-11-11 12:15         ` [PATCH v5] " Jinoh Kang
2020-11-11 16:27           ` Johannes Schindelin
2020-11-11 19:18             ` Junio C Hamano
2020-11-06 19:18     ` [PATCH v2] diff: handle NULL filespecs in run_external_diff Junio C Hamano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a0513d6f-1f69-683d-d6c5-75b17b8b6890@theori.io \
    --to=luke1337@theori.io \
    --cc=Johannes.Schindelin@gmx.de \
    --cc=git@vger.kernel.org \
    --cc=junio@pobox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).