From: Michael Haggerty <mhagger@alum.mit.edu>
To: Jeff King <peff@peff.net>
Cc: Junio C Hamano <gitster@pobox.com>,
Duy Nguyen <pclouds@gmail.com>,
Git Mailing List <git@vger.kernel.org>,
Antoine Pelisse <apelisse@gmail.com>
Subject: Re: [PATCH 1/3] prune-packed: fix a possible buffer overflow
Date: Thu, 19 Dec 2013 17:33:55 +0100 [thread overview]
Message-ID: <52B31FF3.1060102@alum.mit.edu> (raw)
In-Reply-To: <20131219000415.GA17420@sigill.intra.peff.net>
On 12/19/2013 01:04 AM, Jeff King wrote:
> On Wed, Dec 18, 2013 at 11:44:58PM +0100, Michael Haggerty wrote:
>
>> [While doing so, I got sidetracked by the question: what happens if a
>> prune process deletes the "objects/XX" directory just the same moment
>> that another process is trying to write an object into that directory?
>> I think the relevant function is sha1_file.c:create_tmpfile(). It looks
>> like there is a nonzero but very small race window that could result in
>> a spurious "unable to create temporary file" error, but even then I
>> don't think there would be any corruption or anything.]
>
> There's a race there, but I think it's hard to trigger.
>
> Our strategy with object creation is to call open, recognize ENOENT,
> mkdir, and then try again. If the rmdir happens before our call to open,
> then we're fine. If open happens first, then the rmdir will fail.
>
> But we don't loop on ENOENT. So if the rmdir happens in the middle,
> after the mkdir but before we call open again, we'd fail, because we
> don't treat ENOENT specially in the second call to open. That is
> unlikely to happen, though, as prune would not be removing a directory
> it did not just enter and clean up an object from (in which case we
> would not have gotten the first ENOENT in the creator). [...]
The way I read it, prune tries to delete the directory whether or not
there were any files in it. So the race could be triggered by a single
writer that wants to write an object to a not-yet-existent shard
directory and a single prune process that encounters the directory
between when it is created and when the object file is added.
But that doesn't mean I disagree with your conclusion:
> So it seems unlikely and the worst case is a temporary failure, not a
> corruption. It's probably not worth caring too much about, but we could
> solve it pretty easily by looping on ENOENT on creation.
Regarding references:
> On a similar note, I imagine that a simultaneous "branch foo/bar" and
> "branch -d foo/baz" could race over the creation/deletion of
> "refs/heads/foo", but I didn't look into it.
Deleting a loose reference doesn't cause the directory containing it to
be deleted. The directory is only deleted by pack-refs (and then only
when a reference in the directory was just packed) or when there is an
attempt to create a new reference that conflicts with the directory. So
the question is whether the creation of a loose ref file is robust
against the disappearance of a directory that it just created.
And the answer is "no". It looks like there are a bunch of places where
similar races occur involving references. And probably many others
elsewhere in the code. (Any caller of safe_create_leading_directories()
is a candidate problem point, and in fact that function itself has an
internal race.) I've started fixing some of these but it might take a
while.
Michael
--
Michael Haggerty
mhagger@alum.mit.edu
http://softwareswirl.blogspot.com/
next prev parent reply other threads:[~2013-12-19 16:41 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-17 13:43 [PATCH 0/3] Fix two buffer overflows and remove a redundant var Michael Haggerty
2013-12-17 13:43 ` [PATCH 1/3] prune-packed: fix a possible buffer overflow Michael Haggerty
2013-12-17 13:57 ` Duy Nguyen
2013-12-17 18:43 ` Junio C Hamano
2013-12-18 22:44 ` Michael Haggerty
2013-12-19 0:04 ` Jeff King
2013-12-19 16:33 ` Michael Haggerty [this message]
2013-12-20 9:30 ` Jeff King
2013-12-19 0:37 ` Duy Nguyen
2013-12-17 13:43 ` [PATCH 2/3] prune_object_dir(): verify that path fits in the temporary buffer Michael Haggerty
2013-12-17 18:51 ` Junio C Hamano
2013-12-17 23:22 ` Jeff King
2013-12-18 19:35 ` Junio C Hamano
2013-12-18 20:00 ` Jeff King
2013-12-18 20:07 ` Junio C Hamano
2013-12-18 20:11 ` Jeff King
2013-12-18 20:15 ` Junio C Hamano
2013-12-18 20:27 ` Jeff King
2013-12-17 18:56 ` Antoine Pelisse
2013-12-17 13:43 ` [PATCH 3/3] cmd_repack(): remove redundant local variable "nr_packs" Michael Haggerty
2013-12-17 13:46 ` Stefan Beller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52B31FF3.1060102@alum.mit.edu \
--to=mhagger@alum.mit.edu \
--cc=apelisse@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=pclouds@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.