From: Derrick Stolee <stolee@gmail.com>
To: Jeff King <peff@peff.net>,
Derrick Stolee via GitGitGadget <gitgitgadget@gmail.com>
Cc: git@vger.kernel.org, gitster@pobox.com, ps@pks.im
Subject: Re: [PATCH] line-log: protect inner strbuf from free
Date: Wed, 2 Oct 2024 22:36:33 -0400 [thread overview]
Message-ID: <1fc0d162-9814-4d94-ac67-2ea8e40495f4@gmail.com> (raw)
In-Reply-To: <20241002235639.GB3455554@coredump.intra.peff.net>
On 10/2/24 7:56 PM, Jeff King wrote:
> On Wed, Oct 02, 2024 at 04:07:04PM +0000, Derrick Stolee via GitGitGadget wrote:
...
> Good catch. Your analysis looks correct, though I had two questions I
> managed to answer myself:
>
> 1. This seems like an obvious use-after-free problem. Why didn't we
> catch it sooner? I think the answer is that most uses of the
> output_prefix callback happen via diff_line_prefix(), which was not
> broken by 394affd46d. It's only line-log that was affected.
>
> Building with ASan and running:
>
> ./git log --graph -L :diff_line_prefix:diff.c
>
> shows the problem immediately (and that your patch fixes it).
> Should we include a new test in this patch?
Thank you for sending a test in your second reply. I will include it in v2.
> 2. If the caller isn't freeing it, then who does? Should diffopt
> cleanup do so? The answer is "no", the pointer is not owned by that
> struct. In your cases (1) and (3), the caller does so after
> finishing with the diffopt struct. In case (2) it is effectively
> "leaked", but still reachable by the static strbuf. That's not
> great, and is a problem for eventual libification. But for now, we
> can ignore it as it won't trigger the leak-checker.
I agree with this, including the potential for cleaning up the static
strbuf and using the 'data' parameter like the other functions.
> It does make me wonder what leak Patrick saw that caused him to
> write 394affd46d, and whether we're now leaking in some case that
> I'm missing.
Looking at the change, I can only guess that it was the previous use of
char *prefix = "";
that signaled that an unfreeable string was being assigned to a non-const
pointer. This signals that _something_ is wrong with the function, but
the way that the buffer is returned by the function pointer is suspicious,
too.
> I do think this would have been a harder mistake to make if the callback
> simply returned a "const char *" pointer. We'd lose the ability to show
> prefixes with embedded NULs, but I'm not sure that's a big deal. It
> would also help for line-log to use the existing helper rather than
> inventing its own. So together on top something like this (which I'd
> probably turn into two patches if this seems to others like it's
> valuable and not just churn):
I do agree that changing the return type will make this easier to prevent
and the code should be easier to read as well.
Your diffed patch looks pretty good. I made an attempt at guessing where
you would have split them (first remove the duplicate method, then change
the method prototype and callers).
I even took some time to attempt to remove the static strbuf from
diff_output_prefix_callback() in favor of using the 'data' member of the
diff_options struct, but it was not incredibly obvious how to communicate
ownership of the struct which would need to store both the graph struct
and the strbuf. Perhaps this would be good for #leftoverbits.
Thanks,
-Stolee
next prev parent reply other threads:[~2024-10-03 2:36 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-02 16:07 [PATCH] line-log: protect inner strbuf from free Derrick Stolee via GitGitGadget
2024-10-02 23:56 ` Jeff King
2024-10-03 0:19 ` Jeff King
2024-10-03 2:36 ` Derrick Stolee [this message]
2024-10-03 6:11 ` Jeff King
2024-10-03 12:23 ` Derrick Stolee
2024-10-03 21:02 ` Jeff King
2024-10-03 11:58 ` [PATCH v2 0/3] " Derrick Stolee via GitGitGadget
2024-10-03 11:58 ` [PATCH v2 1/3] " Derrick Stolee via GitGitGadget
2024-10-04 4:32 ` Patrick Steinhardt
2024-10-03 11:58 ` [PATCH v2 2/3] line-log: remove output_prefix() Jeff King via GitGitGadget
2024-10-03 11:58 ` [PATCH v2 3/3] diff: modify output_prefix function pointer Jeff King via GitGitGadget
2024-10-03 16:26 ` Junio C Hamano
2024-10-03 21:05 ` [PATCH 0/5] diff output_prefix cleanups Jeff King
2024-10-03 21:06 ` [PATCH 1/5] line-log: use diff_line_prefix() instead of custom helper Jeff King
2024-10-03 21:06 ` [PATCH 2/5] diff: drop line_prefix_length field Jeff King
2024-10-03 21:09 ` [PATCH 3/5] diff: return const char from output_prefix callback Jeff King
2024-10-03 21:11 ` [PATCH 4/5] diff: return line_prefix directly when possible Jeff King
2024-10-03 21:13 ` [PATCH 5/5] diff: store graph prefix buf in git_graph struct Jeff King
2024-10-03 23:43 ` Junio C Hamano
2024-10-04 4:32 ` Patrick Steinhardt
2024-10-04 19:27 ` [PATCH 0/5] diff output_prefix cleanups Derrick Stolee
2024-10-04 19:31 ` Junio C Hamano
2024-10-04 19:33 ` Derrick Stolee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1fc0d162-9814-4d94-ac67-2ea8e40495f4@gmail.com \
--to=stolee@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
--cc=ps@pks.im \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).