[PATCH] shallow.c: Don't free unallocated slabs

[PATCH] shallow.c: Don't free unallocated slabs

[Ali Utku Selen]

Fix possible segfault when cloning a submodule shallow.

Signed-off-by: Ali Utku Selen <auselen@gmail.com>
---
It is possible to have unallocated slabs in shallow.c's commit_depth
for a shallow submodule with many commits.

Easiest way to reproduce this I found was changing COMMIT_SLAB_SIZE to
32 and run t7406-submodule-update.sh. Segfault happens in case 50:
"submodule update clone shallow submodule outside of depth"

 shallow.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/shallow.c b/shallow.c
index 5fa2b15d37..c33ab94bd7 100644
--- a/shallow.c
+++ b/shallow.c
@@ -156,6 +156,8 @@ struct commit_list *get_shallow_commits(struct object_array *heads, int depth,
 	for (i = 0; i < depths.slab_count; i++) {
 		int j;
 
+		if (!depths.slab[i])
+			continue;
 		for (j = 0; j < depths.slab_size; j++)
 			free(depths.slab[i][j]);
 	}
-- 
2.17.1

Re: [PATCH] shallow.c: Don't free unallocated slabs

[Jeff King]

On Tue, Oct 01, 2019 at 01:33:10AM +0200, Ali Utku Selen wrote:

> Fix possible segfault when cloning a submodule shallow.

Thanks. Just looking at the context, this is clearly the right thing to
be doing.

> It is possible to have unallocated slabs in shallow.c's commit_depth
> for a shallow submodule with many commits.

Yeah, the trick here is that we may over-allocate the slab list but not
fill all of the entries. This is really an internal implementation
detail of how the slab code works. It would be nice if callers didn't
have to care about it. Perhaps we ought to have a slab foreach()
function that encapsulates this, which would let this caller do
something like:

  commit_depth_foreach(&depths, free_commit_depth);
  commit_depth_clear(&depths);

But since this is the only place that looks into the slab in this way,
I'm happy to take your much simpler fix in the meantime.

> Easiest way to reproduce this I found was changing COMMIT_SLAB_SIZE to
> 32 and run t7406-submodule-update.sh. Segfault happens in case 50:
> "submodule update clone shallow submodule outside of depth"

It would be nice to have a test, but I suspect it would be kind of
expensive, since it requires 512kb+ of entries (and would obviously be
depending on this arbitrary internal value). Given the simplicity of the
fix, I think we can live without it.

-Peff

Re: [PATCH] shallow.c: Don't free unallocated slabs

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> ... This is really an internal implementation
> detail of how the slab code works. It would be nice if callers didn't
> have to care about it. Perhaps we ought to have a slab foreach()
> function that encapsulates this, which would let this caller do
> something like:
>
>   commit_depth_foreach(&depths, free_commit_depth);
>   commit_depth_clear(&depths);
>
> But since this is the only place that looks into the slab in this way,
> I'm happy to take your much simpler fix in the meantime.

Likewise.  Thanks, both.