From: Thomas Gummerer <t.gummerer@gmail.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: "Jonathan Nieder" <jrnieder@gmail.com>,
"Jeff King" <peff@peff.net>,
git@vger.kernel.org, "Nguyễn Thái Ngọc Duy" <pclouds@gmail.com>
Subject: Re: [PATCH 1/3] path.c: fix uninitialized memory access
Date: Wed, 4 Oct 2017 20:22:43 +0100 [thread overview]
Message-ID: <20171004192243.GC30301@hank> (raw)
In-Reply-To: <xmqqfuazecym.fsf@gitster.mtv.corp.google.com>
On 10/04, Junio C Hamano wrote:
> Jonathan Nieder <jrnieder@gmail.com> writes:
>
> > Jeff King wrote:
> >> On Tue, Oct 03, 2017 at 03:45:01PM -0700, Jonathan Nieder wrote:
> >
> >>> In other words, an alternative fix would be
> >>>
> >>> if (*path == '.' && path[1] == '/') {
> >>> ...
> >>> }
> >>>
> >>> which would not require passing in 'len' or switching to index-based
> >>> arithmetic. I think I prefer it. What do you think?
> >>
> >> Yes, I think that approach is much nicer. I think you could even use
> >> skip_prefix. Unfortunately you have to play a few games with const-ness,
> >> but I think the resulting signature for cleanup_path() is an
> >> improvement:
>
> To tie the loose end, here is what I'll queue.
Thanks. This is much nicer indeed!
> -- >8 --
> From: Jeff King <peff@peff.net>
> Date: Tue, 3 Oct 2017 19:30:40 -0400
> Subject: [PATCH] path.c: fix uninitialized memory access
>
> In cleanup_path we're passing in a char array, run a memcmp on it, and
> run through it without ever checking if something is in the array in the
> first place. This can lead us to access uninitialized memory, for
> example in t5541-http-push-smart.sh test 7, when run under valgrind:
>
> ==4423== Conditional jump or move depends on uninitialised value(s)
> ==4423== at 0x242FA9: cleanup_path (path.c:35)
> ==4423== by 0x242FA9: mkpath (path.c:456)
> ==4423== by 0x256CC7: refname_match (refs.c:364)
> ==4423== by 0x26C181: count_refspec_match (remote.c:1015)
> ==4423== by 0x26C181: match_explicit_lhs (remote.c:1126)
> ==4423== by 0x26C181: check_push_refs (remote.c:1409)
> ==4423== by 0x2ABB4D: transport_push (transport.c:870)
> ==4423== by 0x186703: push_with_options (push.c:332)
> ==4423== by 0x18746D: do_push (push.c:409)
> ==4423== by 0x18746D: cmd_push (push.c:566)
> ==4423== by 0x1183E0: run_builtin (git.c:352)
> ==4423== by 0x11973E: handle_builtin (git.c:539)
> ==4423== by 0x11973E: run_argv (git.c:593)
> ==4423== by 0x11973E: main (git.c:698)
> ==4423== Uninitialised value was created by a heap allocation
> ==4423== at 0x4C2CD8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==4423== by 0x4C2F195: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==4423== by 0x2C196B: xrealloc (wrapper.c:137)
> ==4423== by 0x29A30B: strbuf_grow (strbuf.c:66)
> ==4423== by 0x29A30B: strbuf_vaddf (strbuf.c:277)
> ==4423== by 0x242F9F: mkpath (path.c:454)
> ==4423== by 0x256CC7: refname_match (refs.c:364)
> ==4423== by 0x26C181: count_refspec_match (remote.c:1015)
> ==4423== by 0x26C181: match_explicit_lhs (remote.c:1126)
> ==4423== by 0x26C181: check_push_refs (remote.c:1409)
> ==4423== by 0x2ABB4D: transport_push (transport.c:870)
> ==4423== by 0x186703: push_with_options (push.c:332)
> ==4423== by 0x18746D: do_push (push.c:409)
> ==4423== by 0x18746D: cmd_push (push.c:566)
> ==4423== by 0x1183E0: run_builtin (git.c:352)
> ==4423== by 0x11973E: handle_builtin (git.c:539)
> ==4423== by 0x11973E: run_argv (git.c:593)
> ==4423== by 0x11973E: main (git.c:698)
> ==4423==
>
> Avoid this by using skip_prefix(), which knows not to go beyond the
> end of the string.
>
> Reported-by: Thomas Gummerer <t.gummerer@gmail.com>
> Signed-off-by: Jeff King <peff@peff.net>
> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
> Signed-off-by: Junio C Hamano <gitster@pobox.com>
> ---
> path.c | 9 ++++-----
> 1 file changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/path.c b/path.c
> index e50d2befcf..2fecf854fe 100644
> --- a/path.c
> +++ b/path.c
> @@ -33,11 +33,10 @@ static struct strbuf *get_pathname(void)
> return sb;
> }
>
> -static char *cleanup_path(char *path)
> +static const char *cleanup_path(const char *path)
> {
> /* Clean it up */
> - if (!memcmp(path, "./", 2)) {
> - path += 2;
> + if (skip_prefix(path, "./", &path)) {
> while (*path == '/')
> path++;
> }
> @@ -46,7 +45,7 @@ static char *cleanup_path(char *path)
>
> static void strbuf_cleanup_path(struct strbuf *sb)
> {
> - char *path = cleanup_path(sb->buf);
> + const char *path = cleanup_path(sb->buf);
> if (path > sb->buf)
> strbuf_remove(sb, 0, path - sb->buf);
> }
> @@ -63,7 +62,7 @@ char *mksnpath(char *buf, size_t n, const char *fmt, ...)
> strlcpy(buf, bad_path, n);
> return buf;
> }
> - return cleanup_path(buf);
> + return (char *)cleanup_path(buf);
> }
>
> static int dir_prefix(const char *buf, const char *dir)
> --
> 2.14.2-889-gd2948f6aa6
>
next prev parent reply other threads:[~2017-10-04 19:22 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-03 19:57 [PATCH 0/3] fixes for running the test suite with --valgrind Thomas Gummerer
2017-10-03 19:57 ` [PATCH 1/3] path.c: fix uninitialized memory access Thomas Gummerer
2017-10-03 22:45 ` Jonathan Nieder
2017-10-03 23:30 ` Jeff King
2017-10-03 23:37 ` Jonathan Nieder
2017-10-04 4:47 ` Junio C Hamano
2017-10-04 5:21 ` Jeff King
2017-10-04 19:22 ` Thomas Gummerer [this message]
2017-10-04 19:36 ` Jonathan Nieder
2017-10-03 19:57 ` [PATCH 2/3] http-push: fix construction of hex value from path Thomas Gummerer
2017-10-03 22:53 ` Jonathan Nieder
2017-10-03 23:36 ` Jeff King
2017-10-04 4:48 ` Junio C Hamano
2017-10-04 5:20 ` Junio C Hamano
2017-10-04 5:26 ` Jeff King
2017-10-04 6:26 ` Junio C Hamano
2017-10-03 19:57 ` [PATCH 3/3] sub-process: allocate argv on the heap Thomas Gummerer
2017-10-03 20:24 ` Johannes Sixt
2017-10-04 4:59 ` Junio C Hamano
2017-10-04 5:32 ` Jeff King
2017-10-04 5:58 ` Johannes Sixt
2017-10-04 19:31 ` Thomas Gummerer
2017-10-03 20:25 ` Stefan Beller
2017-10-03 23:41 ` [PATCH 0/3] fixes for running the test suite with --valgrind Jeff King
2017-10-03 23:50 ` Jonathan Nieder
2017-10-03 23:54 ` Jeff King
2017-10-04 10:19 ` playing with MSan, was " Jeff King
2017-10-04 19:30 ` Thomas Gummerer
2017-10-05 3:46 ` lstat-ing delayed-filter output, was Re: playing with MSan Jeff King
2017-10-05 10:47 ` Lars Schneider
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171004192243.GC30301@hank \
--to=t.gummerer@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jrnieder@gmail.com \
--cc=pclouds@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.