From: Junio C Hamano <gitster@pobox.com>
To: Andrzej Hunt <andrzej@ahunt.org>
Cc: Miriam Rubio <mirucam@gmail.com>,
git@vger.kernel.org, Tanushree Tumane <tanushreetumane@gmail.com>,
Christian Couder <chriscool@tuxfamily.org>
Subject: Re: [PATCH v3 3/4] bisect--helper: reimplement `bisect_run` shell function in C
Date: Wed, 05 May 2021 11:04:04 +0900 [thread overview]
Message-ID: <xmqqzgxa3pij.fsf@gitster.g> (raw)
In-Reply-To: <3771bfc2-e4a4-3c5d-bcf5-673b403358ca@ahunt.org> (Andrzej Hunt's message of "Tue, 4 May 2021 19:26:01 +0200")
Andrzej Hunt <andrzej@ahunt.org> writes:
>> + struct strbuf command = STRBUF_INIT;
>> + struct strvec args = STRVEC_INIT;
>> + struct strvec run_args = STRVEC_INIT;
>> + ...
>> + run_args.v[0] = xstrdup(command.buf);
>> + run_args.nr = 1;
>
> AFAIUI manipulating the strvec directly like this means that we will
> violate the promise that strvec.v is always NULL-terminated. It's
> probably safer to call 'strvec_push(run_args, command.buf)' instead of
> manipulating v and nr?
True.
> Violating the NULL-termination promise a problem because... (continued
> below)
>
>> +
>> + while (1) {
>> + strvec_clear(&args);
>> + exit = 1;
>> +
>> + printf(_("running %s"), command.buf);
>> + res = run_command_v_opt(run_args.v, RUN_USING_SHELL);
>
> run_command_v_opt() implicitly expects a NULL-terminated list of
> strings. It's not documented in run_command_v_opt()'s comments,
> however run_command_v_opt() does explain that it's a wrapper around
> start_command(), which uses child_process, and child_process.argv is
> documented to require a NULL-terminated list.
>
> If argv is not NULL-terminated, we hit a buffer overflow read in
> prepare_shell_cmd(), which can be reproduced by running something
> like:
>
> make CC=clang-11 SANITIZE=address COPTS="-Og -g" GIT_TEST_OPTS=-v
> T=t6030-bisect-porcelain.sh test
>
> which results in ASAN reporting this error:
> ...
Thanks for a careful explanation.
next prev parent reply other threads:[~2021-05-05 2:04 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-11 9:55 [PATCH v3 0/4] Finish converting git bisect to C part 4 Miriam Rubio
2021-04-11 9:55 ` [PATCH v3 1/4] run-command: make `exists_in_PATH()` non-static Miriam Rubio
2021-04-11 9:55 ` [PATCH v3 2/4] bisect--helper: reimplement `bisect_visualize()`shell function in C Miriam Rubio
2021-04-11 20:22 ` Junio C Hamano
2021-04-11 9:55 ` [PATCH v3 3/4] bisect--helper: reimplement `bisect_run` shell " Miriam Rubio
2021-04-11 20:31 ` Junio C Hamano
2021-04-11 20:33 ` Junio C Hamano
2021-05-05 9:04 ` Christian Couder
2021-05-04 17:26 ` Andrzej Hunt
2021-05-05 2:04 ` Junio C Hamano [this message]
2021-04-11 9:55 ` [PATCH v3 4/4] bisect--helper: retire `--bisect-next-check` subcommand Miriam Rubio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqzgxa3pij.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=andrzej@ahunt.org \
--cc=chriscool@tuxfamily.org \
--cc=git@vger.kernel.org \
--cc=mirucam@gmail.com \
--cc=tanushreetumane@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.