* [PATCH] pickaxe: fix segfault with '-S<...> --pickaxe-regex'
@ 2017-03-18 15:12 SZEDER Gábor
2017-03-18 17:45 ` SZEDER Gábor
2017-03-18 18:58 ` [PATCH] " Junio C Hamano
0 siblings, 2 replies; 6+ messages in thread
From: SZEDER Gábor @ 2017-03-18 15:12 UTC (permalink / raw)
To: Junio C Hamano; +Cc: Johannes Schindelin, git, SZEDER Gábor
'git {log,diff,...} -S<...> --pickaxe-regex' can segfault as a result
of out-of-bounds memory reads.
diffcore-pickaxe.c:contains() looks for all matches of the given regex
in a buffer in a loop, advancing the buffer pointer to the end of the
last match in each iteration. When we switched to REG_STARTEND in
b7d36ffca (regex: use regexec_buf(), 2016-09-21), we started passing
the size of that buffer to the regexp engine, too. Unfortunately,
this buffer size is never updated on subsequent iterations, and as the
buffer pointer advances on each iteration, this "bufptr+bufsize"
points past the end of the buffer. This results in segmentation
fault, if that memory can't be accessed. In case of 'git log' it can
also result in erroneously listed commits, if the memory past the end
of buffer is accessible and happens to contain data matching the
regex.
Make sure that the buffer size is reduced on each iteration as the
buffer pointer is advanced, thus maintaining the correct end of buffer
location.
The new test is flaky, I've never seen it fail on my Linux box, but
this is expected according to db5dfa331 (regex: -G<pattern> feeds a
non NUL-terminated string to regexec() and fails, 2016-09-21). And
based on that commit message I would expect the new test without the
fix to fail reliably on Windows.
Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com>
---
diffcore-pickaxe.c | 5 ++++-
t/t4062-diff-pickaxe.sh | 5 +++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/diffcore-pickaxe.c b/diffcore-pickaxe.c
index 9795ca1c1..03f84b714 100644
--- a/diffcore-pickaxe.c
+++ b/diffcore-pickaxe.c
@@ -85,8 +85,11 @@ static unsigned int contains(mmfile_t *mf, regex_t *regexp, kwset_t kws)
!regexec_buf(regexp, data, sz, 1, ®match, flags)) {
flags |= REG_NOTBOL;
data += regmatch.rm_eo;
- if (*data && regmatch.rm_so == regmatch.rm_eo)
+ sz -= regmatch.rm_eo;
+ if (*data && regmatch.rm_so == regmatch.rm_eo) {
data++;
+ sz--;
+ }
cnt++;
}
diff --git a/t/t4062-diff-pickaxe.sh b/t/t4062-diff-pickaxe.sh
index f0bf50bda..7c4903f49 100755
--- a/t/t4062-diff-pickaxe.sh
+++ b/t/t4062-diff-pickaxe.sh
@@ -19,4 +19,9 @@ test_expect_success '-G matches' '
test 4096-zeroes.txt = "$(cat out)"
'
+test_expect_success '-S --pickaxe-regex' '
+ git diff --name-only -S0 --pickaxe-regex HEAD^ >out &&
+ verbose test 4096-zeroes.txt = "$(cat out)"
+'
+
test_done
--
2.12.0.377.g15f6ffe90
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] pickaxe: fix segfault with '-S<...> --pickaxe-regex'
2017-03-18 15:12 [PATCH] pickaxe: fix segfault with '-S<...> --pickaxe-regex' SZEDER Gábor
@ 2017-03-18 17:45 ` SZEDER Gábor
2017-03-18 18:24 ` [PATCHv2] " SZEDER Gábor
2017-03-18 18:58 ` [PATCH] " Junio C Hamano
1 sibling, 1 reply; 6+ messages in thread
From: SZEDER Gábor @ 2017-03-18 17:45 UTC (permalink / raw)
To: Junio C Hamano; +Cc: Johannes Schindelin, Git mailing list, SZEDER Gábor
On Sat, Mar 18, 2017 at 4:12 PM, SZEDER Gábor <szeder.dev@gmail.com> wrote:
> Make sure that the buffer size is reduced on each iteration as the
> buffer pointer is advanced, thus maintaining the correct end of buffer
> location.
>
> The new test is flaky, I've never seen it fail on my Linux box, but
> this is expected according to db5dfa331 (regex: -G<pattern> feeds a
> non NUL-terminated string to regexec() and fails, 2016-09-21). And
> based on that commit message I would expect the new test without the
> fix to fail reliably on Windows.
>
> Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com>
> ---
>
> diffcore-pickaxe.c | 5 ++++-
> t/t4062-diff-pickaxe.sh | 5 +++++
> 2 files changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/diffcore-pickaxe.c b/diffcore-pickaxe.c
> index 9795ca1c1..03f84b714 100644
> --- a/diffcore-pickaxe.c
> +++ b/diffcore-pickaxe.c
> @@ -85,8 +85,11 @@ static unsigned int contains(mmfile_t *mf, regex_t *regexp, kwset_t kws)
> !regexec_buf(regexp, data, sz, 1, ®match, flags)) {
> flags |= REG_NOTBOL;
> data += regmatch.rm_eo;
> - if (*data && regmatch.rm_so == regmatch.rm_eo)
> + sz -= regmatch.rm_eo;
> + if (*data && regmatch.rm_so == regmatch.rm_eo) {
> data++;
> + sz--;
> + }
> cnt++;
> }
>
> diff --git a/t/t4062-diff-pickaxe.sh b/t/t4062-diff-pickaxe.sh
> index f0bf50bda..7c4903f49 100755
> --- a/t/t4062-diff-pickaxe.sh
> +++ b/t/t4062-diff-pickaxe.sh
> @@ -19,4 +19,9 @@ test_expect_success '-G matches' '
> test 4096-zeroes.txt = "$(cat out)"
> '
>
> +test_expect_success '-S --pickaxe-regex' '
> + git diff --name-only -S0 --pickaxe-regex HEAD^ >out &&
> + verbose test 4096-zeroes.txt = "$(cat out)"
> +'
> +
> test_done
Hang on, this new test does fail because of a segfault _with_ the fix
on Travis 64bit Linux and OSX builds.
Oh, well.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCHv2] pickaxe: fix segfault with '-S<...> --pickaxe-regex'
2017-03-18 17:45 ` SZEDER Gábor
@ 2017-03-18 18:24 ` SZEDER Gábor
2017-03-21 11:46 ` Johannes Schindelin
0 siblings, 1 reply; 6+ messages in thread
From: SZEDER Gábor @ 2017-03-18 18:24 UTC (permalink / raw)
To: Junio C Hamano; +Cc: Johannes Schindelin, git, SZEDER Gábor
'git {log,diff,...} -S<...> --pickaxe-regex' can segfault as a result
of out-of-bounds memory reads.
diffcore-pickaxe.c:contains() looks for all matches of the given regex
in a buffer in a loop, advancing the buffer pointer to the end of the
last match in each iteration. When we switched to REG_STARTEND in
b7d36ffca (regex: use regexec_buf(), 2016-09-21), we started passing
the size of that buffer to the regexp engine, too. Unfortunately,
this buffer size is never updated on subsequent iterations, and as the
buffer pointer advances on each iteration, this "bufptr+bufsize"
points past the end of the buffer. This results in segmentation
fault, if that memory can't be accessed. In case of 'git log' it can
also result in erroneously listed commits, if the memory past the end
of buffer is accessible and happens to contain data matching the
regex.
Reduce the buffer size on each iteration as the buffer pointer is
advanced, thus maintaining the correct end of buffer location.
Furthermore, make sure that the buffer pointer is not dereferenced in
the control flow statements when we already reached the end of the
buffer.
The new test is flaky, I've never seen it fail on my Linux box even
without the fix, but this is expected according to db5dfa3 (regex:
-G<pattern> feeds a non NUL-terminated string to regexec() and fails,
2016-09-21). However, it did fail on Travis CI with the first (and
incomplete) version of the fix, and based on that commit message I
would expect the new test without the fix to fail most of the time on
Windows.
Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com>
---
Changes since v1:
diff --git a/diffcore-pickaxe.c b/diffcore-pickaxe.c
index 03f84b714..341529b5a 100644
--- a/diffcore-pickaxe.c
+++ b/diffcore-pickaxe.c
@@ -81,12 +81,12 @@ static unsigned int contains(mmfile_t *mf, regex_t *regexp, kwset_t kws)
regmatch_t regmatch;
int flags = 0;
- while (*data &&
+ while (sz && *data &&
!regexec_buf(regexp, data, sz, 1, ®match, flags)) {
flags |= REG_NOTBOL;
data += regmatch.rm_eo;
sz -= regmatch.rm_eo;
- if (*data && regmatch.rm_so == regmatch.rm_eo) {
+ if (sz && *data && regmatch.rm_so == regmatch.rm_eo) {
data++;
sz--;
}
diffcore-pickaxe.c | 7 +++++--
t/t4062-diff-pickaxe.sh | 5 +++++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/diffcore-pickaxe.c b/diffcore-pickaxe.c
index 9795ca1c1..341529b5a 100644
--- a/diffcore-pickaxe.c
+++ b/diffcore-pickaxe.c
@@ -81,12 +81,15 @@ static unsigned int contains(mmfile_t *mf, regex_t *regexp, kwset_t kws)
regmatch_t regmatch;
int flags = 0;
- while (*data &&
+ while (sz && *data &&
!regexec_buf(regexp, data, sz, 1, ®match, flags)) {
flags |= REG_NOTBOL;
data += regmatch.rm_eo;
- if (*data && regmatch.rm_so == regmatch.rm_eo)
+ sz -= regmatch.rm_eo;
+ if (sz && *data && regmatch.rm_so == regmatch.rm_eo) {
data++;
+ sz--;
+ }
cnt++;
}
diff --git a/t/t4062-diff-pickaxe.sh b/t/t4062-diff-pickaxe.sh
index f0bf50bda..7c4903f49 100755
--- a/t/t4062-diff-pickaxe.sh
+++ b/t/t4062-diff-pickaxe.sh
@@ -19,4 +19,9 @@ test_expect_success '-G matches' '
test 4096-zeroes.txt = "$(cat out)"
'
+test_expect_success '-S --pickaxe-regex' '
+ git diff --name-only -S0 --pickaxe-regex HEAD^ >out &&
+ verbose test 4096-zeroes.txt = "$(cat out)"
+'
+
test_done
--
2.12.0.377.g15f6ffe90
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] pickaxe: fix segfault with '-S<...> --pickaxe-regex'
2017-03-18 15:12 [PATCH] pickaxe: fix segfault with '-S<...> --pickaxe-regex' SZEDER Gábor
2017-03-18 17:45 ` SZEDER Gábor
@ 2017-03-18 18:58 ` Junio C Hamano
2017-03-18 19:17 ` Junio C Hamano
1 sibling, 1 reply; 6+ messages in thread
From: Junio C Hamano @ 2017-03-18 18:58 UTC (permalink / raw)
To: SZEDER Gábor; +Cc: Johannes Schindelin, git
Interestingly, the new test fails (with the patch) under prove but
not when run from the shell (i.e. "cd t && sh t4062-diff-pickaxe.sh").
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] pickaxe: fix segfault with '-S<...> --pickaxe-regex'
2017-03-18 18:58 ` [PATCH] " Junio C Hamano
@ 2017-03-18 19:17 ` Junio C Hamano
0 siblings, 0 replies; 6+ messages in thread
From: Junio C Hamano @ 2017-03-18 19:17 UTC (permalink / raw)
To: SZEDER Gábor; +Cc: Johannes Schindelin, git
Junio C Hamano <gitster@pobox.com> writes:
> Interestingly, the new test fails (with the patch) under prove but
> not when run from the shell (i.e. "cd t && sh t4062-diff-pickaxe.sh").
Sorry, false alarm.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCHv2] pickaxe: fix segfault with '-S<...> --pickaxe-regex'
2017-03-18 18:24 ` [PATCHv2] " SZEDER Gábor
@ 2017-03-21 11:46 ` Johannes Schindelin
0 siblings, 0 replies; 6+ messages in thread
From: Johannes Schindelin @ 2017-03-21 11:46 UTC (permalink / raw)
To: SZEDER Gábor; +Cc: Junio C Hamano, git
[-- Attachment #1: Type: text/plain, Size: 1885 bytes --]
Hi Gábor,
On Sat, 18 Mar 2017, SZEDER Gábor wrote:
> 'git {log,diff,...} -S<...> --pickaxe-regex' can segfault as a result of
> out-of-bounds memory reads.
>
> diffcore-pickaxe.c:contains() looks for all matches of the given regex
> in a buffer in a loop, advancing the buffer pointer to the end of the
> last match in each iteration. When we switched to REG_STARTEND in
> b7d36ffca (regex: use regexec_buf(), 2016-09-21), we started passing
> the size of that buffer to the regexp engine, too. Unfortunately,
> this buffer size is never updated on subsequent iterations, and as the
> buffer pointer advances on each iteration, this "bufptr+bufsize"
> points past the end of the buffer. This results in segmentation
> fault, if that memory can't be accessed. In case of 'git log' it can
> also result in erroneously listed commits, if the memory past the end
> of buffer is accessible and happens to contain data matching the
> regex.
>
> Reduce the buffer size on each iteration as the buffer pointer is
> advanced, thus maintaining the correct end of buffer location.
> Furthermore, make sure that the buffer pointer is not dereferenced in
> the control flow statements when we already reached the end of the
> buffer.
>
> The new test is flaky, I've never seen it fail on my Linux box even
> without the fix, but this is expected according to db5dfa3 (regex:
> -G<pattern> feeds a non NUL-terminated string to regexec() and fails,
> 2016-09-21). However, it did fail on Travis CI with the first (and
> incomplete) version of the fix, and based on that commit message I
> would expect the new test without the fix to fail most of the time on
> Windows.
Thank you for catching and fixing this. On Windows, I indeed get a
segmentation fault for the new test case without the patched code, and the
patch indeed fixes this.
ACK,
Dscho
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-03-21 11:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-18 15:12 [PATCH] pickaxe: fix segfault with '-S<...> --pickaxe-regex' SZEDER Gábor
2017-03-18 17:45 ` SZEDER Gábor
2017-03-18 18:24 ` [PATCHv2] " SZEDER Gábor
2017-03-21 11:46 ` Johannes Schindelin
2017-03-18 18:58 ` [PATCH] " Junio C Hamano
2017-03-18 19:17 ` Junio C Hamano
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).