From: Phillip Wood <phillip.wood123@gmail.com>
To: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>, git@vger.kernel.org
Cc: Junio C Hamano <gitster@pobox.com>,
Johannes Schindelin <Johannes.Schindelin@gmx.de>
Subject: Re: [PATCH] sequencer.c: fix overflow & segfault in parse_strategy_opts()
Date: Wed, 8 Mar 2023 16:20:18 +0000 [thread overview]
Message-ID: <d1fcbbe5-52ce-54d0-bad6-97997a2a72c3@dunelm.org.uk> (raw)
In-Reply-To: <patch-1.1-f6a06e25cf3-20230307T182039Z-avarab@gmail.com>
Hi Ævar
On 07/03/2023 18:21, Ævar Arnfjörð Bjarmason wrote:
> The split_cmdline() function introduced in [1] returns an "int". If
> it's negative it signifies an error. The option parsing in [2] didn't
> account for this, and assigned the value directly to the "size_t
> xopts_nr". We'd then attempt to loop over all of these elements, and
> access uninitialized memory.
>
> There's a few things that use this for option parsing, but one way to
> trigger it is with a bad value to "-X <strategy-option>", e.g:
>
> git rebase -X"bad argument\""
As Junio said that's nasty, thanks for catching it. I think what Junio
has queued in seen is fine. The root cause of the issue is that we don't
quote the --strategy-option arguments properly. I've got some cleanups
based on top of this at
https://github.com/phillipwood/git/commits/sequencer-merge-strategy-options
to address that. I'll submit them once I've cleaned them up.
Best Wishes
Phillip
> In another context this might be a security issue, but in this case
> someone who's already able to inject arguments directly to our
> commands would be past other defenses, making this potential
> escalation a moot point.
>
> As the example above & test case shows the error reporting leaves
> something to be desired. The function will loop over the
> whitespace-split values, but when it encounters an error we'll only
> report the first element, which is OK, not the second "argument\""
> whose quote is unbalanced.
>
> This is an inherent limitation of the current API, and the issue
> affects other API users. Let's not attempt to fix that now. If and
> when that happens these tests will need to be adjusted to assert the
> new output.
>
> 1. 2b11e3170e9 (If you have a config containing something like this:,
> 2006-06-05)
> 2. ca6c6b45dd9 (sequencer (rebase -i): respect strategy/strategy_opts
> settings, 2017-01-02)
>
> Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
> ---
>
> CI & branch for this at
> https://github.com/avar/git/tree/avar/sequencer-xopts-nr-overflow
>
> Not a new issue, but I figured with other discussions in this area
> kicking this out the door sooner than later was better.
>
> sequencer.c | 9 +++++++--
> t/t3436-rebase-more-options.sh | 18 ++++++++++++++++++
> 2 files changed, 25 insertions(+), 2 deletions(-)
>
> diff --git a/sequencer.c b/sequencer.c
> index 3e4a1972897..79c615193b6 100644
> --- a/sequencer.c
> +++ b/sequencer.c
> @@ -2876,13 +2876,18 @@ static int populate_opts_cb(const char *key, const char *value, void *data)
> void parse_strategy_opts(struct replay_opts *opts, char *raw_opts)
> {
> int i;
> + int count;
> char *strategy_opts_string = raw_opts;
>
> if (*strategy_opts_string == ' ')
> strategy_opts_string++;
>
> - opts->xopts_nr = split_cmdline(strategy_opts_string,
> - (const char ***)&opts->xopts);
> + count = split_cmdline(strategy_opts_string,
> + (const char ***)&opts->xopts);
> + if (count < 0)
> + die(_("could not split '%s': '%s'"), strategy_opts_string,
> + split_cmdline_strerror(count));
> + opts->xopts_nr = count;
> for (i = 0; i < opts->xopts_nr; i++) {
> const char *arg = opts->xopts[i];
>
> diff --git a/t/t3436-rebase-more-options.sh b/t/t3436-rebase-more-options.sh
> index 94671d3c465..195ace34559 100755
> --- a/t/t3436-rebase-more-options.sh
> +++ b/t/t3436-rebase-more-options.sh
> @@ -40,6 +40,24 @@ test_expect_success 'setup' '
> EOF
> '
>
> +test_expect_success 'bad -X <strategy-option> arguments: unclosed quote' '
> + cat >expect <<-\EOF &&
> + fatal: could not split '\''--bad'\'': '\''unclosed quote'\''
> + EOF
> + test_expect_code 128 git rebase -X"bad argument\"" side main >out 2>actual &&
> + test_must_be_empty out &&
> + test_cmp expect actual
> +'
> +
> +test_expect_success 'bad -X <strategy-option> arguments: bad escape' '
> + cat >expect <<-\EOF &&
> + fatal: could not split '\''--bad'\'': '\''cmdline ends with \'\''
> + EOF
> + test_expect_code 128 git rebase -X"bad escape \\" side main >out 2>actual &&
> + test_must_be_empty out &&
> + test_cmp expect actual
> +'
> +
> test_expect_success '--ignore-whitespace works with apply backend' '
> test_must_fail git rebase --apply main side &&
> git rebase --abort &&
prev parent reply other threads:[~2023-03-08 16:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-07 18:21 [PATCH] sequencer.c: fix overflow & segfault in parse_strategy_opts() Ævar Arnfjörð Bjarmason
2023-03-07 19:47 ` Junio C Hamano
2023-03-07 23:23 ` Junio C Hamano
2023-03-08 16:20 ` Phillip Wood [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d1fcbbe5-52ce-54d0-bad6-97997a2a72c3@dunelm.org.uk \
--to=phillip.wood123@gmail.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=phillip.wood@dunelm.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).