From: Junio C Hamano <gitster@pobox.com>
To: git@vger.kernel.org
Cc: Eric Sunshine <sunshine@sunshineco.com>
Subject: [PATCH 2/4] write_sha1_file_prepare: fix buffer overrun with extra-long object type
Date: Mon, 4 May 2015 14:37:29 -0700 [thread overview]
Message-ID: <1430775451-31130-3-git-send-email-gitster@pobox.com> (raw)
In-Reply-To: <1430775451-31130-1-git-send-email-gitster@pobox.com>
From: Eric Sunshine <sunshine@sunshineco.com>
git-hash-object learned --literally in 5ba9a93 (hash-object: add
--literally option, 2014-09-11) which can be used to craft a
corrupt/broken object of unknown type.
When the user-provided type is particularly long, however, it can
overflow the relatively small stack-based character array handed to
write_sha1_file_prepare() by hash_sha1_file() and write_sha1_file(),
leading to stack corruption (and crash).
Signed-off-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
* Tweaked and backported directly on top of 5ba9a93b (hash-object:
add --literally option, 2014-09-11) which is v2.2.0-rc0~88^2
builtin/hash-object.c | 4 +---
cache.h | 1 +
sha1_file.c | 27 ++++++++++++++++++++++++++-
3 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/builtin/hash-object.c b/builtin/hash-object.c
index 6158363..887a8ea 100644
--- a/builtin/hash-object.c
+++ b/builtin/hash-object.c
@@ -22,10 +22,8 @@ static int hash_literally(unsigned char *sha1, int fd, const char *type, unsigne
if (strbuf_read(&buf, fd, 4096) < 0)
ret = -1;
- else if (flags & HASH_WRITE_OBJECT)
- ret = write_sha1_file(buf.buf, buf.len, type, sha1);
else
- ret = hash_sha1_file(buf.buf, buf.len, type, sha1);
+ ret = hash_sha1_file_literally(&buf, type, sha1, flags);
strbuf_release(&buf);
return ret;
}
diff --git a/cache.h b/cache.h
index dfa1a56..2da7740 100644
--- a/cache.h
+++ b/cache.h
@@ -888,6 +888,7 @@ static inline const unsigned char *lookup_replace_object_extended(const unsigned
extern int sha1_object_info(const unsigned char *, unsigned long *);
extern int hash_sha1_file(const void *buf, unsigned long len, const char *type, unsigned char *sha1);
extern int write_sha1_file(const void *buf, unsigned long len, const char *type, unsigned char *return_sha1);
+extern int hash_sha1_file_literally(struct strbuf *buf, const char *type, unsigned char *return_sha1, unsigned flags);
extern int pretend_sha1_file(void *, unsigned long, enum object_type, unsigned char *);
extern int force_object_loose(const unsigned char *sha1, time_t mtime);
extern int git_open_noatime(const char *name);
diff --git a/sha1_file.c b/sha1_file.c
index c08c0cb..0fe3f29 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -2962,6 +2962,31 @@ int write_sha1_file(const void *buf, unsigned long len, const char *type, unsign
return write_loose_object(sha1, hdr, hdrlen, buf, len, 0);
}
+int hash_sha1_file_literally(struct strbuf *buf, const char *type,
+ unsigned char *sha1, unsigned flags)
+{
+ struct strbuf header = STRBUF_INIT;
+ int hdrlen, status = 0;
+
+ /* type string, SP, %lu of the length plus NUL must fit this */
+ strbuf_grow(&header, strlen(type) + 20);
+
+ write_sha1_file_prepare(buf->buf, buf->len, type, sha1,
+ header.buf, &hdrlen);
+
+ if (!(flags & HASH_WRITE_OBJECT))
+ goto cleanup;
+
+ if (has_sha1_file(sha1))
+ goto cleanup;
+ status = write_loose_object(sha1, header.buf, hdrlen,
+ buf->buf, buf->len, 0);
+
+cleanup:
+ strbuf_release(&header);
+ return status;
+}
+
int force_object_loose(const unsigned char *sha1, time_t mtime)
{
void *buf;
--
2.4.0-302-g6743426
next prev parent reply other threads:[~2015-05-04 21:37 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-04 7:25 [PATCH 0/3] hash-object crash fix and new doc and tests Eric Sunshine
2015-05-04 7:25 ` [PATCH 1/3] git-hash-object.txt: document --literally option Eric Sunshine
2015-05-04 7:25 ` [PATCH 2/3] t1007: add hash-object --literally tests Eric Sunshine
2015-05-04 7:25 ` [PATCH 3/3] write_sha1_file_prepare: fix buffer overrun with extra-long object type Eric Sunshine
2015-05-04 17:58 ` Junio C Hamano
2015-05-04 17:59 ` Junio C Hamano
2015-05-04 21:37 ` [PATCH 0/4] "hash-object --literally" fixes Junio C Hamano
2015-05-04 21:37 ` [PATCH 1/4] git-hash-object.txt: document --literally option Junio C Hamano
2015-05-04 21:37 ` Junio C Hamano [this message]
2015-05-05 0:13 ` [PATCH 2/4] write_sha1_file_prepare: fix buffer overrun with extra-long object type Eric Sunshine
2015-05-05 0:28 ` Junio C Hamano
2015-05-05 17:30 ` Junio C Hamano
2015-05-05 18:49 ` Eric Sunshine
2015-05-04 21:37 ` [PATCH 3/4] t1007: add hash-object --literally tests Junio C Hamano
2015-05-04 21:37 ` [PATCH 4/4] write_sha1_file(): do not use a separate sha1[] array Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1430775451-31130-3-git-send-email-gitster@pobox.com \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.