From: Michael Haggerty <mhagger@alum.mit.edu>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org, "Jeff King" <peff@peff.net>,
"Nguyễn Thái Ngọc Duy" <pclouds@gmail.com>,
"Michael Haggerty" <mhagger@alum.mit.edu>
Subject: [PATCH 0/2] Fix possible buffer overflow in remove_subtree()
Date: Thu, 13 Mar 2014 10:19:06 +0100 [thread overview]
Message-ID: <1394702348-6433-1-git-send-email-mhagger@alum.mit.edu> (raw)
These patches are proposed for maint (but also apply cleanly to
master).
I presume that this is exploitable via Git commands, though I haven't
verified it explicitly [1].
I *think* that the rest of the file is OK. open_output_fd() initially
looks suspicious, because it strcpy()s a string onto the end of its
path argument. But that is only done when to_tempfile is set, which
in turn is handled consistently up the callstack up to the point where
it is initially set in checkout_entry() if topath is not NULL. So as
long as the caller obeys checkout_entry()'s docstring and passes a
long enough buffer for topath, I think everything is OK. In any case,
the string appended in open_output_fd() is not under the control of
the user, so even if there were a bug in this code path it shouldn't
be exploitable.
[1] For example, it is conceivable that there are some checks when
writing a tree that prevent files with such long names from being
written by Git. But even if so, it is clearly a bug that could be
hit locally on any filesystem where PATH_MAX is not a hard limit.
Michael Haggerty (2):
checkout_entry(): use the strbuf throughout the function
entry.c: fix possible buffer overflow in remove_subtree()
entry.c | 64 ++++++++++++++++++++++++++++++++--------------------------------
1 file changed, 32 insertions(+), 32 deletions(-)
--
1.9.0
next reply other threads:[~2014-03-13 9:26 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-13 9:19 Michael Haggerty [this message]
2014-03-13 9:19 ` [PATCH 1/2] checkout_entry(): use the strbuf throughout the function Michael Haggerty
2014-03-13 11:22 ` Duy Nguyen
2014-03-13 9:19 ` [PATCH 2/2] entry.c: fix possible buffer overflow in remove_subtree() Michael Haggerty
2014-03-13 11:29 ` Duy Nguyen
2014-03-13 13:44 ` [PATCH 0/2] Fix " Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1394702348-6433-1-git-send-email-mhagger@alum.mit.edu \
--to=mhagger@alum.mit.edu \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=pclouds@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).