[PATCH] setup: avoid uninitialized use of is_safe in ensure_valid_ownership

[PATCH] setup: avoid uninitialized use of is_safe in ensure_valid_ownership

[Carlo Marcelo Arenas Belón]

8959555cee7 (setup_git_directory(): add an owner check for the top-level
directory, 2022-03-02) adds this member as part of a newly created
structure that then gets initialized during the callback, but bb50ec3cc30
(setup: fix safe.directory key not being checked, 2022-04-13) add a
quick exit from the callback that avoids this initialization unless the
callback is called with the relevant key.

This leads to this variable not being initialized UNLESS the global config
has at least one key for safe.directory, so instead initialize it in the
caller.

Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
---
 setup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.c b/setup.c
index a7b36f3ffbf..17c7f5fc1dc 100644
--- a/setup.c
+++ b/setup.c
@@ -1122,7 +1122,7 @@ static int safe_directory_cb(const char *key, const char *value, void *d)
 
 static int ensure_valid_ownership(const char *path)
 {
-	struct safe_directory_data data = { .path = path };
+	struct safe_directory_data data = { .path = path, .is_safe = 0 };
 
 	if (!git_env_bool("GIT_TEST_ASSUME_DIFFERENT_OWNER", 0) &&
 	    is_path_owned_by_current_user(path))
-- 
2.36.0.266.g59f845bde02

Re: [PATCH] setup: avoid uninitialized use of is_safe in ensure_valid_ownership

[Carlo Arenas]

On Wed, Apr 27, 2022 at 1:17 AM Matheus Valadares <me@m28.io> wrote:
>
> That’s not needed. Fields in an aggregate constructor that are not named are initialized to 0.

Could you point me to the C99 specification that documents that if you
have it at hand?  Even if not strictly necessary, it seems like good
code higiene as its effect is hidden.

FWIW, it broke a change I was doing on top of this where I removed the
" .path " initializer to set it later and was suddenly getting random
unrelated errors because this field was not initialized.

Carlo

Re: [PATCH] setup: avoid uninitialized use of is_safe in ensure_valid_ownership

[Carlo Arenas]

On Wed, Apr 27, 2022 at 1:33 AM Matheus Valadares <me@m28.io> wrote:
>
> C99 standard §6.7.8 (Initialization)/21,
>
> If there are fewer initializers in a brace-enclosed list than there are elements or members of an aggregate, or fewer characters in a string literal used to initialize an array of known size than there are elements in the array, the remainder of the aggregate shall be initialized implicitly the same as objects that have static storage duration.

Thanks, I will include the change to remove the path initializer and
add instead the is_safe one as part of my bigger change, but FWIW the
following doesn't even trigger a warning with the highest level we
have with neither a recent clang or gcc or even the cppcheck static
analyzer, but leave and uses is_safe uninitialized.

diff --git a/setup.c b/setup.c
index 17c7f5fc1dc..28d008145fa 100644
--- a/setup.c
+++ b/setup.c
@@ -1122,7 +1122,9 @@ static int safe_directory_cb(const char *key,
const char *value, void *d)

 static int ensure_valid_ownership(const char *path)
 {
-       struct safe_directory_data data = { .path = path, .is_safe = 0 };
+       struct safe_directory_data data;
+
+       data.path = path;

        if (!git_env_bool("GIT_TEST_ASSUME_DIFFERENT_OWNER", 0) &&
            is_path_owned_by_current_user(path))

Carlo

Re: [PATCH] setup: avoid uninitialized use of is_safe in ensure_valid_ownership

[Derrick Stolee]

On 4/27/2022 5:16 AM, Carlo Arenas wrote:
> On Wed, Apr 27, 2022 at 1:33 AM Matheus Valadares <me@m28.io> wrote:
>>
>> C99 standard §6.7.8 (Initialization)/21,
>>
>> If there are fewer initializers in a brace-enclosed list than there are elements or members of an aggregate, or fewer characters in a string literal used to initialize an array of known size than there are elements in the array, the remainder of the aggregate shall be initialized implicitly the same as objects that have static storage duration.
> 
> Thanks, I will include the change to remove the path initializer and
> add instead the is_safe one as part of my bigger change, but FWIW the
> following doesn't even trigger a warning with the highest level we
> have with neither a recent clang or gcc or even the cppcheck static
> analyzer, but leave and uses is_safe uninitialized.
> 
> diff --git a/setup.c b/setup.c
> index 17c7f5fc1dc..28d008145fa 100644
> --- a/setup.c
> +++ b/setup.c
> @@ -1122,7 +1122,9 @@ static int safe_directory_cb(const char *key,
> const char *value, void *d)
> 
>  static int ensure_valid_ownership(const char *path)
>  {
> -       struct safe_directory_data data = { .path = path, .is_safe = 0 };

Here, we are using an initializer, which guarantees that the unmentioned
members are set to zeroes.

> +       struct safe_directory_data data;

Here, you are not using an initializer. The data could be anything, so
is not safe.

> +
> +       data.path = path;

Initializing individual members like this afterwards is not safe unless
you set all members individually.

That is why we use the "= { ... }" pattern throughout the codebase.
Sometimes it is simplified to just "= { 0 }" to make sure that the first
member is mentioned as zero and the remaining members are also set to
zero as specified in the standard.

Thanks,
-Stolee

Re: [PATCH] setup: avoid uninitialized use of is_safe in ensure_valid_ownership

[Junio C Hamano]

Carlo Marcelo Arenas Belón  <carenas@gmail.com> writes:

> 8959555cee7 (setup_git_directory(): add an owner check for the top-level
> directory, 2022-03-02) adds this member as part of a newly created
> structure that then gets initialized during the callback, but bb50ec3cc30
> (setup: fix safe.directory key not being checked, 2022-04-13) add a
> quick exit from the callback that avoids this initialization unless the
> callback is called with the relevant key.
>
> This leads to this variable not being initialized UNLESS the global config
> has at least one key for safe.directory, so instead initialize it in the
> caller.
>
> Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
> ---
>  setup.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/setup.c b/setup.c
> index a7b36f3ffbf..17c7f5fc1dc 100644
> --- a/setup.c
> +++ b/setup.c
> @@ -1122,7 +1122,7 @@ static int safe_directory_cb(const char *key, const char *value, void *d)
>  
>  static int ensure_valid_ownership(const char *path)
>  {
> -	struct safe_directory_data data = { .path = path };
> +	struct safe_directory_data data = { .path = path, .is_safe = 0 };

This is not wrong per-se but is not necessary.  Once you have an
initializer, the struct is zero initialized except for members whose
initial values are explicitly mentioned in the initializer.

Sometimes an explicit initialization is a good way to make the
intention of the code clear, and because setting of the .is_safe
member is done inside a callback function, out of sight from the
reader of this function, while the return value does depend on
having a valid value in the .is_safe member, I do not think we mind
this change, though.

But if we were to take it, the justification must be rewritten.  It
is an OK change to clarify the code to human readers.  It is not a
fix to a bug that left a struct member uninitialized.

>  
>  	if (!git_env_bool("GIT_TEST_ASSUME_DIFFERENT_OWNER", 0) &&
>  	    is_path_owned_by_current_user(path))