From: Jim Meyering <jim@meyering.net>
To: git list <git@vger.kernel.org>
Subject: [PATCH] grep: don't segfault
Date: Mon, 18 Jan 2010 22:55:07 +0100 [thread overview]
Message-ID: <871vhnhydg.fsf@meyering.net> (raw)
Today, git grep -l '^ ' failed with a segfault.
I tracked it down to a26345b6085340ebd61e156aa8154a80196bee0f.
Debugging it, I found that look_ahead calls regexec with a "bol"
argument pointing to a buffer that is not NUL-terminated.
Yet regexec requires the NUL-termination. Without that, its
initial strlen will read beyond the end of the buffer.
$ valgrind ./git grep -l '^ '
Memcheck, a memory error detector
Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
Command: ./git grep -l ^
Conditional jump or move depends on uninitialised value(s)
at 0x4A06318: __GI_strlen (mc_replace_strmem.c:284)
by 0x3AF00C04C4: regexec@@GLIBC_2.3.4 (regexec.c:243)
by 0x496A0A: look_ahead (grep.c:644)
by 0x496D24: grep_buffer_1 (grep.c:726)
by 0x497161: grep_buffer (grep.c:852)
by 0x432720: grep_file (builtin-grep.c:201)
by 0x432854: grep_cache (builtin-grep.c:230)
by 0x433F2F: cmd_grep (builtin-grep.c:621)
by 0x40488D: run_builtin (git.c:257)
by 0x404A28: handle_internal_command (git.c:401)
by 0x404B1D: run_argv (git.c:443)
by 0x404C9A: main (git.c:514)
...
That buffer is read by builtin-grep.c(grep_file) and here's the code.
You can see from the allocation of "sz + 1" and read of one less
that there is already room for the required trailing NUL byte:
sz = xsize_t(st.st_size);
i = open(filename, O_RDONLY);
if (i < 0)
goto err_ret;
data = xmalloc(sz + 1);
if (st.st_size != read_in_full(i, data, sz)) {
error("'%s': short read %s", filename, strerror(errno));
close(i);
free(data);
return 0;
}
close(i);
>>> data[sz] = 0; <====== added line
if (opt->relative && opt->prefix_length)
filename = quote_path_relative(filename, -1, &buf, opt->prefix);
i = grep_buffer(opt, filename, data, sz);
Signed-off-by: Jim Meyering <meyering@redhat.com>
---
This is relative to the head of git's next branch,
d7346b15ca5bda881f5abc37b0844e9b35c8cffc
I noticed the segfault by running the same command in
libvirt's git repository, but it's not consistently reproducible.
builtin-grep.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/builtin-grep.c b/builtin-grep.c
index 4dd5aaf..da854fa 100644
--- a/builtin-grep.c
+++ b/builtin-grep.c
@@ -196,6 +196,7 @@ static int grep_file(struct grep_opt *opt, const char *filename)
return 0;
}
close(i);
+ data[sz] = 0;
if (opt->relative && opt->prefix_length)
filename = quote_path_relative(filename, -1, &buf, opt->prefix);
i = grep_buffer(opt, filename, data, sz);
--
1.6.4.4.1.ga2634
next reply other threads:[~2010-01-18 21:55 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-18 21:55 Jim Meyering [this message]
2010-01-18 22:40 ` [PATCH] grep: don't segfault Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871vhnhydg.fsf@meyering.net \
--to=jim@meyering.net \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.