All of lore.kernel.org
 help / color / mirror / Atom feed
From: Wataru Noguchi <wnoguchi.0727@gmail.com>
To: kusmabite@gmail.com
Cc: "Antoine Pelisse" <apelisse@gmail.com>,
	"René Scharfe" <l.s.r@web.de>,
	"Johannes Schindelin" <Johannes.Schindelin@gmx.de>,
	git <git@vger.kernel.org>, msysGit <msysgit@googlegroups.com>
Subject: Re: [PATCH] mingw-multibyte: fix memory acces violation and path length limits.
Date: Sat, 05 Oct 2013 20:39:58 +0900	[thread overview]
Message-ID: <524FFA8E.70009@gmail.com> (raw)
In-Reply-To: <CABPQNSaqjKPGAQ4EKBSk+bQP2WMksc6M0YQxSkB91UrnFF28xQ@mail.gmail.com>

Hi,

I put following printf logs.

int checkout_entry(struct cache_entry *ce,
		   const struct checkout *state, char *topath)
{
	static char path[PATH_MAX + 1];
	struct stat st;
	int len = state->base_dir_len;

	if (topath)
		return write_entry(ce, topath, state, 1);

	memcpy(path, state->base_dir, len);
	fprintf(stderr, "path: %s\n", path);
	fprintf(stderr, "len: %d\n", len);
	strcpy(path + len, ce->name);
	len += ce_namelen(ce);
	fprintf(stderr, "path: %s\n", path);
	fprintf(stderr, "len: %d\n", len);
	fprintf(stderr, "path_max: %d\n", PATH_MAX);
	

--------------------------------------------------------------------------------------


crash result

wnoguchi@WIN-72R9044R72V /usr/tmp (master)
$ git clone https://github.com/wnoguchi/mingw-checkout-crash.git a2
Cloning into 'a2'...
remote: Counting objects: 8, done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 8 (delta 0), reused 8 (delta 0)
Unpacking objects: 100% (8/8), done.
Checking connectivity... done
path:
len: 0
path: dummy 1-long-long-long-dirname/dummy 2-long-long
-long-dirname/dummy 3-long-long-long-dirname/dummy 4-l
ong-long-long-dirname/dummy 5-long-long-long-dirname/aaaaaaaaaaaa.txt
len: 302
path_max: 259

crash!!

--------------------------------------------------------------------------------------

build with

CFLAGS = -g -O2 -fno-inline-small-functions -Wall


wnoguchi@WIN-72R9044R72V /usr/tmp (master)
$ git clone https://github.com/wnoguchi/mingw-checkout-crash.git a3
Cloning into 'a3'...
remote: Counting objects: 8, done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 8 (delta 0), reused 8 (delta 0)
Unpacking objects: 100% (8/8), done.
Checking connectivity... done
path:
len: 0
path: dummy 1-long-long-long-dirname/dummy 2-long-long
-long-dirname/dummy 3-long-long-long-dirname/dummy 4-l
ong-long-long-dirname/dummy 5-long-long-long-dirname/aaaaaaaaaaaa.txt
len: 302
path_max: 259

Warning: Your console font probably doesn't support Unicode. If you experience s
trange characters in the output, consider switching to a TrueType font such as L
ucida Console!

works fine.

------------------------------------------------------------------------------------

this result means actual path byte length over run path buffer?

	static char path[PATH_MAX + 1];

hmmm...

I'm not sure why -fno-inline-small-functions works.


(2013/10/04 2:36), Erik Faye-Lund wrote:
> On Thu, Oct 3, 2013 at 7:25 PM, Antoine Pelisse <apelisse@gmail.com> wrote:
>> I've not followed the thread so much but, in that
>> entry.c::checkout_entry,() we do:
>>
>> memcpy(path, state->base_dir, len);
>> strcpy(path + len, ce->name);
>>
>> which can of course result in memory violation if PATH is not long enough.
>>
>
> ...aaand you're spot on. The following patch illustrates it:
>
> $ /git/git-clone.exe mingw-checkout-crash.git
> Cloning into 'mingw-checkout-crash'...
> done.
> fatal: argh, this won't work!
> warning: Clone succeeded, but checkout failed.
> You can inspect what was checked out with 'git status'
> and retry the checkout with 'git checkout -f HEAD'
>
> ---
>
> diff --git a/entry.c b/entry.c
> index acc892f..505638e 100644
> --- a/entry.c
> +++ b/entry.c
> @@ -244,6 +244,9 @@ int checkout_entry(struct cache_entry *ce,
>    if (topath)
>    return write_entry(ce, topath, state, 1);
>
> + if (len > PATH_MAX || len + strlen(ce->name) > PATH_MAX)
> + die("argh, this won't work!");
> +
>    memcpy(path, state->base_dir, len);
>    strcpy(path + len, ce->name);
>    len += ce_namelen(ce);
>
>
>> On Thu, Oct 3, 2013 at 12:26 AM, Wataru Noguchi <wnoguchi.0727@gmail.com> wrote:
>>> Hi,
>>>
>>> At last, I foundfollowing Makefile optimization suppression works fine in my
>>> case.
>>>
>>> CFLAGS = -g -O2 -fno-inline-small-functions -Wall
>>>
>>> Following optimization option cause crash,
>>>
>>> -finline-small-functions
>> --
>> To unsubscribe from this list: send the line "unsubscribe git" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
================================
   Wataru Noguchi
   wnoguchi.0727@gmail.com
   http://wnoguchi.github.io/
================================

-- 
-- 
*** Please reply-to-all at all times ***
*** (do not pretend to know who is subscribed and who is not) ***
*** Please avoid top-posting. ***
The msysGit Wiki is here: https://github.com/msysgit/msysgit/wiki - Github accounts are free.

You received this message because you are subscribed to the Google
Groups "msysGit" group.
To post to this group, send email to msysgit@googlegroups.com
To unsubscribe from this group, send email to
msysgit+unsubscribe@googlegroups.com
For more options, and view previous threads, visit this group at
http://groups.google.com/group/msysgit?hl=en_US?hl=en

--- 
You received this message because you are subscribed to the Google Groups "msysGit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to msysgit+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

  reply	other threads:[~2013-10-05 11:40 UTC|newest]

Thread overview: 44+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-28 21:17 [PATCH] mingw-multibyte: fix memory acces violation and path length limits Wataru Noguchi
2013-09-28 23:18 ` Johannes Schindelin
2013-09-29  2:56   ` Wataru Noguchi
2013-09-29 11:01     ` [msysGit] " Stefan Beller
2013-10-01 13:37       ` Wataru Noguchi
2013-09-30 17:00     ` René Scharfe
2013-09-30 21:02       ` Erik Faye-Lund
2013-10-01 13:35       ` Wataru Noguchi
2013-10-02 22:26         ` Wataru Noguchi
2013-10-03 17:25           ` Antoine Pelisse
2013-10-03 17:36             ` Erik Faye-Lund
2013-10-05 11:39               ` Wataru Noguchi [this message]
2013-10-19 10:52               ` [PATCH] Prevent buffer overflows when path is too big Antoine Pelisse
2013-10-20  5:47                 ` Torsten Bögershausen
2013-10-20  6:05                   ` [msysGit] " Ondřej Bílka
2013-10-20  6:27                     ` Torsten Bögershausen
2013-10-20  7:39                       ` [msysGit] " Ondřej Bílka
2013-10-20 10:33                   ` Duy Nguyen
2013-10-20 17:57                     ` Antoine Pelisse
2013-10-21  1:31                       ` Duy Nguyen
2013-10-21 19:02                         ` Johannes Sixt
2013-10-21 19:07                           ` Erik Faye-Lund
2013-10-21 19:14                             ` Jeff King
2013-10-21 19:32                               ` Jeff King
2013-10-23 12:55                                 ` [PATCH 1/2] entry.c: convert checkout_entry to use strbuf Nguyễn Thái Ngọc Duy
2013-10-23 12:55                                   ` [PATCH 2/2] entry.c: convert write_entry " Nguyễn Thái Ngọc Duy
2013-10-23 17:52                                     ` Junio C Hamano
2013-10-24  1:23                                       ` Duy Nguyen
2013-10-24 19:49                                         ` Junio C Hamano
2013-10-24 23:47                                           ` Duy Nguyen
2013-10-23 12:58                                   ` [PATCH 1/2] entry.c: convert checkout_entry " Antoine Pelisse
2013-10-23 13:04                                     ` Duy Nguyen
2013-10-23 13:06                                       ` Antoine Pelisse
2013-10-23 17:29                                   ` Jeff King
2013-10-23 17:34                                     ` Erik Faye-Lund
2013-10-23 17:52                                       ` Jeff King
2013-10-23 18:09                                     ` Junio C Hamano
2013-10-23 18:10                                       ` Jeff King
2013-10-24  1:55                                   ` [PATCH v2] " Nguyễn Thái Ngọc Duy
2013-10-23 12:55                           ` [PATCH] Prevent buffer overflows when path is too big Duy Nguyen
2013-11-26 18:39                             ` [PATCH] Prevent buffer overflows when path is too long Antoine Pelisse
2013-11-26 19:50                               ` Junio C Hamano
2013-11-29 12:12                                 ` Antoine Pelisse
2013-12-14 11:31                                 ` Antoine Pelisse

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=524FFA8E.70009@gmail.com \
    --to=wnoguchi.0727@gmail.com \
    --cc=Johannes.Schindelin@gmx.de \
    --cc=apelisse@gmail.com \
    --cc=git@vger.kernel.org \
    --cc=kusmabite@gmail.com \
    --cc=l.s.r@web.de \
    --cc=msysgit@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.