Re: [PATCH 1/5] avoid parse_sha1_header() accessing memory out of bound

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Liu Yubao

Subject: Re: [PATCH 1/5] avoid parse_sha1_header() accessing memory out of bound

Date: Tuesday, December 2, 2008 - 8:49 pm

Shawn O. Pearce wrote:
quoted text> Liu Yubao <yubao.liu@gmail.com> wrote:
>> diff --git a/sha1_file.c b/sha1_file.c
>> index 6c0e251..efe6967 100644
>> --- a/sha1_file.c
>> +++ b/sha1_file.c
>> @@ -1254,10 +1255,10 @@ static int parse_sha1_header(const char *hdr, unsigned long *sizep)
>>  	/*
>>  	 * The type can be at most ten bytes (including the
>>  	 * terminating '__PLACEHOLDER__0_' that we add), and is followed by
>> -	 * a space.
>> +	 * a space, at least one byte for size, and a '__PLACEHOLDER__0_'.
>>  	 */
>>  	i = 0;
>> -	for (;;) {
>> +	while (hdr < hdr_end - 2) {
>>  		char c = *hdr++;
>>  		if (c == ' ')
>>  			break;
>> @@ -1265,6 +1266,8 @@ static int parse_sha1_header(const char *hdr, unsigned long *sizep)
>>  		if (i >= sizeof(type))
>>  			return -1;
> 
> That first hunk I am citing is unnecessary, because of the lines
> right above.  All of the callers of this function pass in a buffer
> that is at least 32 bytes in size; this loop aborts if it does not
> find a ' ' within the first 10 bytes of the buffer.  We'll never
> access memory outside of the buffer during this loop.
> 
> So IMHO your first three hunks here aren't necessary.
> 

Seems you missed the cover letter sent as patch 0/5, all patches are explained
in the cover letter, sorry I sent them as separate topics by mistake.

This bound check is mainly for uncompressed loose object, a loose object
that just are uncompressed:

uncompressed loose object = inflate(loose object)
loose object = deflate(typename + <space> + size + '\0' + data)

I'm doing a defensive programming, for uncompressed loose object the mmapped
memory is passed to parse_sha1_header without being checked by inflateInit() first,
so there may be a SIGSEGV crash for a corrupted uncompressed loose object.


quoted text>> @@ -1275,7 +1278,7 @@ static int parse_sha1_header(const char *hdr, unsigned long *sizep)
>>  	if (size > 9)
>>  		return -1;
>>  	if (size) {
>> -		for (;;) {
>> +		while (hdr < hdr_end - 1) {
>>  			unsigned long c = *hdr - '0';
>>  			if (c > 9)
>>  				break;
> 
> OK, there's no promise here that we don't roll off the buffer.
> 
> This can be fixed in the caller, ensuring we always have the '__PLACEHOLDER__1_'
> at some point in the initial header buffer we were asked to parse:
> 
Isn't it easier to solve this problem in one place and maintain it? Maybe someday
someone forgets parse_sha1_header requires a null terminated buffer, and a corrupted
uncompressed loose object even doesn't have to be null terminated (if there will be
this kind of loose object).

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

two questions about the format of loose object, Liu Yubao, (Mon Dec 1, 1:00 am)

Re: two questions about the format of loose object, Junio C Hamano, (Mon Dec 1, 1:25 am)

Re: two questions about the format of loose object, Liu Yubao, (Mon Dec 1, 2:28 am)

Re: two questions about the format of loose object, Jakub Narebski, (Mon Dec 1, 4:32 am)

Re: two questions about the format of loose object, Nick Andrew, (Mon Dec 1, 5:16 am)

Re: two questions about the format of loose object, Shawn O. Pearce, (Mon Dec 1, 8:21 am)

Re: two questions about the format of loose object, Shawn O. Pearce, (Mon Dec 1, 8:32 am)

[PATCH 0/5] support reading and writing uncompressed loose ..., Liu Yubao, (Mon Dec 1, 6:48 pm)

[PATCH 1/5] avoid parse_sha1_header() accessing memory out ..., Liu Yubao, (Mon Dec 1, 6:51 pm)

[PATCH 2/5] don't die immediately when convert an invalid ..., Liu Yubao, (Mon Dec 1, 6:53 pm)

[PATCH 3/5] optimize parse_sha1_header() a little by detec ..., Liu Yubao, (Mon Dec 1, 6:55 pm)

[PATCH 4/5] support reading uncompressed loose object, Liu Yubao, (Mon Dec 1, 6:56 pm)

[PATCH 5/5] support writing uncompressed loose object, Liu Yubao, (Mon Dec 1, 7:03 pm)

Re: two questions about the format of loose object, Liu Yubao, (Mon Dec 1, 7:19 pm)

Re: two questions about the format of loose object, Liu Yubao, (Mon Dec 1, 7:26 pm)

Re: two questions about the format of loose object, Liu Yubao, (Mon Dec 1, 7:43 pm)

Re: two questions about the format of loose object, Liu Yubao, (Mon Dec 1, 8:05 pm)

Re: [PATCH 0/5] support reading and writing uncompressed l ..., Liu Yubao, (Mon Dec 1, 8:11 pm)

Re: [PATCH 1/5] avoid parse_sha1_header() accessing memory ..., Shawn O. Pearce, (Tue Dec 2, 8:42 am)

Re: [PATCH 3/5] optimize parse_sha1_header() a little by d ..., Shawn O. Pearce, (Tue Dec 2, 8:53 am)

Re: [PATCH 4/5] support reading uncompressed loose object, Shawn O. Pearce, (Tue Dec 2, 8:58 am)

Re: [PATCH 5/5] support writing uncompressed loose object, Shawn O. Pearce, (Tue Dec 2, 9:07 am)

Re: [PATCH 1/5] avoid parse_sha1_header() accessing memory ..., Liu Yubao, (Tue Dec 2, 8:49 pm)

Re: [PATCH 3/5] optimize parse_sha1_header() a little by d ..., Liu Yubao, (Tue Dec 2, 9:06 pm)

Re: [PATCH 4/5] support reading uncompressed loose object, Liu Yubao, (Tue Dec 2, 9:09 pm)

Re: [PATCH 5/5] support writing uncompressed loose object, Liu Yubao, (Tue Dec 2, 9:22 pm)

Re: two questions about the format of loose object, Nicolas Pitre, (Wed Dec 3, 5:54 pm)


linux-kernel:
Greg KH	Og dreams of kernels
Jens Axboe	[PATCH 31/33] Fusion: sg chaining support
Arnd Bergmann	Re: finding your own dead "CONFIG_" variables
Mark Brown	<