[PATCH] sequencer.c: fix overflow & segfault in parse_strategy_opts()

[PATCH] sequencer.c: fix overflow & segfault in parse_strategy_opts()

[Ævar Arnfjörð Bjarmason]

The split_cmdline() function introduced in [1] returns an "int". If
it's negative it signifies an error. The option parsing in [2] didn't
account for this, and assigned the value directly to the "size_t
xopts_nr". We'd then attempt to loop over all of these elements, and
access uninitialized memory.

There's a few things that use this for option parsing, but one way to
trigger it is with a bad value to "-X <strategy-option>", e.g:

	git rebase -X"bad argument\""

In another context this might be a security issue, but in this case
someone who's already able to inject arguments directly to our
commands would be past other defenses, making this potential
escalation a moot point.

As the example above & test case shows the error reporting leaves
something to be desired. The function will loop over the
whitespace-split values, but when it encounters an error we'll only
report the first element, which is OK, not the second "argument\""
whose quote is unbalanced.

This is an inherent limitation of the current API, and the issue
affects other API users. Let's not attempt to fix that now. If and
when that happens these tests will need to be adjusted to assert the
new output.

1. 2b11e3170e9 (If you have a config containing something like this:,
   2006-06-05)
2. ca6c6b45dd9 (sequencer (rebase -i): respect strategy/strategy_opts
   settings, 2017-01-02)

Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
---

CI & branch for this at
https://github.com/avar/git/tree/avar/sequencer-xopts-nr-overflow

Not a new issue, but I figured with other discussions in this area
kicking this out the door sooner than later was better.

 sequencer.c                    |  9 +++++++--
 t/t3436-rebase-more-options.sh | 18 ++++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/sequencer.c b/sequencer.c
index 3e4a1972897..79c615193b6 100644
--- a/sequencer.c
+++ b/sequencer.c
@@ -2876,13 +2876,18 @@ static int populate_opts_cb(const char *key, const char *value, void *data)
 void parse_strategy_opts(struct replay_opts *opts, char *raw_opts)
 {
 	int i;
+	int count;
 	char *strategy_opts_string = raw_opts;
 
 	if (*strategy_opts_string == ' ')
 		strategy_opts_string++;
 
-	opts->xopts_nr = split_cmdline(strategy_opts_string,
-				       (const char ***)&opts->xopts);
+	count = split_cmdline(strategy_opts_string,
+			      (const char ***)&opts->xopts);
+	if (count < 0)
+		die(_("could not split '%s': '%s'"), strategy_opts_string,
+			    split_cmdline_strerror(count));
+	opts->xopts_nr = count;
 	for (i = 0; i < opts->xopts_nr; i++) {
 		const char *arg = opts->xopts[i];
 
diff --git a/t/t3436-rebase-more-options.sh b/t/t3436-rebase-more-options.sh
index 94671d3c465..195ace34559 100755
--- a/t/t3436-rebase-more-options.sh
+++ b/t/t3436-rebase-more-options.sh
@@ -40,6 +40,24 @@ test_expect_success 'setup' '
 	EOF
 '
 
+test_expect_success 'bad -X <strategy-option> arguments: unclosed quote' '
+	cat >expect <<-\EOF &&
+	fatal: could not split '\''--bad'\'': '\''unclosed quote'\''
+	EOF
+	test_expect_code 128 git rebase -X"bad argument\"" side main >out 2>actual &&
+	test_must_be_empty out &&
+	test_cmp expect actual
+'
+
+test_expect_success 'bad -X <strategy-option> arguments: bad escape' '
+	cat >expect <<-\EOF &&
+	fatal: could not split '\''--bad'\'': '\''cmdline ends with \'\''
+	EOF
+	test_expect_code 128 git rebase -X"bad escape \\" side main >out 2>actual &&
+	test_must_be_empty out &&
+	test_cmp expect actual
+'
+
 test_expect_success '--ignore-whitespace works with apply backend' '
 	test_must_fail git rebase --apply main side &&
 	git rebase --abort &&
-- 
2.40.0.rc1.1034.g5867a1b10c5

Re: [PATCH] sequencer.c: fix overflow & segfault in parse_strategy_opts()

[Junio C Hamano]

Ævar Arnfjörð Bjarmason  <avarab@gmail.com> writes:

> There's a few things that use this for option parsing, but one way to
> trigger it is with a bad value to "-X <strategy-option>", e.g:
>
> 	git rebase -X"bad argument\""

Wow, that is nasty ;-).

> diff --git a/sequencer.c b/sequencer.c
> index 3e4a1972897..79c615193b6 100644
> --- a/sequencer.c
> +++ b/sequencer.c
> @@ -2876,13 +2876,18 @@ static int populate_opts_cb(const char *key, const char *value, void *data)
>  void parse_strategy_opts(struct replay_opts *opts, char *raw_opts)
>  {
>  	int i;
> +	int count;
>  	char *strategy_opts_string = raw_opts;
>  
>  	if (*strategy_opts_string == ' ')
>  		strategy_opts_string++;
>  
> -	opts->xopts_nr = split_cmdline(strategy_opts_string,
> -				       (const char ***)&opts->xopts);
> +	count = split_cmdline(strategy_opts_string,
> +			      (const char ***)&opts->xopts);
> +	if (count < 0)
> +		die(_("could not split '%s': '%s'"), strategy_opts_string,
> +			    split_cmdline_strerror(count));

This made me look at split_cmdline_strerror().  It is a table lookup
into split_cmdline_errors[] in alias.c which looks like this:

    static const char *split_cmdline_errors[] = {
            N_("cmdline ends with \\"),
            N_("unclosed quote"),
            N_("too many arguments"),
    };

So the result is properly localized, but I suspect that the string
after : should not be enclosed within a pair of single quotes.

	die(_("could not split '%s': %s", strategy_opts_string,
		split_cmdline_strerror(count)));

Other than that, nice find.

Thanks.

Re: [PATCH] sequencer.c: fix overflow & segfault in parse_strategy_opts()

[Junio C Hamano]

Junio C Hamano <gitster@pobox.com> writes:

> This made me look at split_cmdline_strerror().  It is a table lookup
> into split_cmdline_errors[] in alias.c which looks like this:
>
>     static const char *split_cmdline_errors[] = {
>             N_("cmdline ends with \\"),
>             N_("unclosed quote"),
>             N_("too many arguments"),
>     };
>
> So the result is properly localized, but I suspect that the string
> after : should not be enclosed within a pair of single quotes.
>
> 	die(_("could not split '%s': %s", strategy_opts_string,
> 		split_cmdline_strerror(count)));
>
> Other than that, nice find.

I'll queue this on top.

----- >8 ---------- >8 ---------- >8 ---------- >8 -----
Subject: [PATCH] SQUASH: no point in quoting strerror like messages

The error message is taken from a limited and fixed set of strings
and we do not usually enclose strerror(errno) inside a pair of
single quotes.
---
 sequencer.c                    | 2 +-
 t/t3436-rebase-more-options.sh | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/sequencer.c b/sequencer.c
index cc59a1c491..e4a3f0081f 100644
--- a/sequencer.c
+++ b/sequencer.c
@@ -2885,7 +2885,7 @@ void parse_strategy_opts(struct replay_opts *opts, char *raw_opts)
 	count = split_cmdline(strategy_opts_string,
 			      (const char ***)&opts->xopts);
 	if (count < 0)
-		die(_("could not split '%s': '%s'"), strategy_opts_string,
+		die(_("could not split '%s': %s"), strategy_opts_string,
 			    split_cmdline_strerror(count));
 	opts->xopts_nr = count;
 	for (i = 0; i < opts->xopts_nr; i++) {
diff --git a/t/t3436-rebase-more-options.sh b/t/t3436-rebase-more-options.sh
index 195ace3455..c3184c9ade 100755
--- a/t/t3436-rebase-more-options.sh
+++ b/t/t3436-rebase-more-options.sh
@@ -42,7 +42,7 @@ test_expect_success 'setup' '
 
 test_expect_success 'bad -X <strategy-option> arguments: unclosed quote' '
 	cat >expect <<-\EOF &&
-	fatal: could not split '\''--bad'\'': '\''unclosed quote'\''
+	fatal: could not split '\''--bad'\'': unclosed quote
 	EOF
 	test_expect_code 128 git rebase -X"bad argument\"" side main >out 2>actual &&
 	test_must_be_empty out &&
@@ -51,7 +51,7 @@ test_expect_success 'bad -X <strategy-option> arguments: unclosed quote' '
 
 test_expect_success 'bad -X <strategy-option> arguments: bad escape' '
 	cat >expect <<-\EOF &&
-	fatal: could not split '\''--bad'\'': '\''cmdline ends with \'\''
+	fatal: could not split '\''--bad'\'': cmdline ends with \
 	EOF
 	test_expect_code 128 git rebase -X"bad escape \\" side main >out 2>actual &&
 	test_must_be_empty out &&
-- 
2.40.0-rc2

Re: [PATCH] sequencer.c: fix overflow & segfault in parse_strategy_opts()

[Phillip Wood]

Hi Ævar

On 07/03/2023 18:21, Ævar Arnfjörð Bjarmason wrote:
> The split_cmdline() function introduced in [1] returns an "int". If
> it's negative it signifies an error. The option parsing in [2] didn't
> account for this, and assigned the value directly to the "size_t
> xopts_nr". We'd then attempt to loop over all of these elements, and
> access uninitialized memory.
> 
> There's a few things that use this for option parsing, but one way to
> trigger it is with a bad value to "-X <strategy-option>", e.g:
> 
> 	git rebase -X"bad argument\""

As Junio said that's nasty, thanks for catching it. I think what Junio 
has queued in seen is fine. The root cause of the issue is that we don't 
quote the --strategy-option arguments properly. I've got some cleanups 
based on top of this at 
https://github.com/phillipwood/git/commits/sequencer-merge-strategy-options 
to address that. I'll submit them once I've cleaned them up.

Best Wishes

Phillip

> In another context this might be a security issue, but in this case
> someone who's already able to inject arguments directly to our
> commands would be past other defenses, making this potential
> escalation a moot point.
> 
> As the example above & test case shows the error reporting leaves
> something to be desired. The function will loop over the
> whitespace-split values, but when it encounters an error we'll only
> report the first element, which is OK, not the second "argument\""
> whose quote is unbalanced.
> 
> This is an inherent limitation of the current API, and the issue
> affects other API users. Let's not attempt to fix that now. If and
> when that happens these tests will need to be adjusted to assert the
> new output.
> 
> 1. 2b11e3170e9 (If you have a config containing something like this:,
>     2006-06-05)
> 2. ca6c6b45dd9 (sequencer (rebase -i): respect strategy/strategy_opts
>     settings, 2017-01-02)
> 
> Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
> ---
> 
> CI & branch for this at
> https://github.com/avar/git/tree/avar/sequencer-xopts-nr-overflow
> 
> Not a new issue, but I figured with other discussions in this area
> kicking this out the door sooner than later was better.
> 
>   sequencer.c                    |  9 +++++++--
>   t/t3436-rebase-more-options.sh | 18 ++++++++++++++++++
>   2 files changed, 25 insertions(+), 2 deletions(-)
> 
> diff --git a/sequencer.c b/sequencer.c
> index 3e4a1972897..79c615193b6 100644
> --- a/sequencer.c
> +++ b/sequencer.c
> @@ -2876,13 +2876,18 @@ static int populate_opts_cb(const char *key, const char *value, void *data)
>   void parse_strategy_opts(struct replay_opts *opts, char *raw_opts)
>   {
>   	int i;
> +	int count;
>   	char *strategy_opts_string = raw_opts;
>   
>   	if (*strategy_opts_string == ' ')
>   		strategy_opts_string++;
>   
> -	opts->xopts_nr = split_cmdline(strategy_opts_string,
> -				       (const char ***)&opts->xopts);
> +	count = split_cmdline(strategy_opts_string,
> +			      (const char ***)&opts->xopts);
> +	if (count < 0)
> +		die(_("could not split '%s': '%s'"), strategy_opts_string,
> +			    split_cmdline_strerror(count));
> +	opts->xopts_nr = count;
>   	for (i = 0; i < opts->xopts_nr; i++) {
>   		const char *arg = opts->xopts[i];
>   
> diff --git a/t/t3436-rebase-more-options.sh b/t/t3436-rebase-more-options.sh
> index 94671d3c465..195ace34559 100755
> --- a/t/t3436-rebase-more-options.sh
> +++ b/t/t3436-rebase-more-options.sh
> @@ -40,6 +40,24 @@ test_expect_success 'setup' '
>   	EOF
>   '
>   
> +test_expect_success 'bad -X <strategy-option> arguments: unclosed quote' '
> +	cat >expect <<-\EOF &&
> +	fatal: could not split '\''--bad'\'': '\''unclosed quote'\''
> +	EOF
> +	test_expect_code 128 git rebase -X"bad argument\"" side main >out 2>actual &&
> +	test_must_be_empty out &&
> +	test_cmp expect actual
> +'
> +
> +test_expect_success 'bad -X <strategy-option> arguments: bad escape' '
> +	cat >expect <<-\EOF &&
> +	fatal: could not split '\''--bad'\'': '\''cmdline ends with \'\''
> +	EOF
> +	test_expect_code 128 git rebase -X"bad escape \\" side main >out 2>actual &&
> +	test_must_be_empty out &&
> +	test_cmp expect actual
> +'
> +
>   test_expect_success '--ignore-whitespace works with apply backend' '
>   	test_must_fail git rebase --apply main side &&
>   	git rebase --abort &&