From: Jeff King <peff@peff.net>
To: Michael Haggerty <mhagger@alum.mit.edu>
Cc: "Junio C Hamano" <gitster@pobox.com>,
git@vger.kernel.org,
=?utf-8?B?Tmd1eeG7hW4gVGjDoWkgTmfhu41jIER1eSA8cGNsb3Vkc0BnbWFpbC5jb20+?=@vger.kernel.org
Subject: Re: [PATCH 0/2] Fix possible buffer overflow in remove_subtree()
Date: Thu, 13 Mar 2014 09:44:09 -0400 [thread overview]
Message-ID: <20140313134409.GA22046@sigill.intra.peff.net> (raw)
In-Reply-To: <1394702348-6433-1-git-send-email-mhagger@alum.mit.edu>
On Thu, Mar 13, 2014 at 10:19:06AM +0100, Michael Haggerty wrote:
> These patches are proposed for maint (but also apply cleanly to
> master).
>
> I presume that this is exploitable via Git commands, though I haven't
> verified it explicitly [1].
It's possible to overflow this buffer, like:
git init repo && cd repo &&
blob=$(git hash-object -w /dev/null) &&
big=$(perl -e 'print "a" x 250')
(for i in $(seq 1 17); do mkdir $big && cd $big; done)
printf "100644 blob $blob\t$big\n" >tree &&
tree=$(git mktree <tree) &&
git read-tree $tree &&
git checkout-index -f --all
but I'm not sure if it is easily exploitable for two reasons:
1. We never actually return from the function with the smashed stack.
Immediately after overflowing the buffer, we call lstat(), which
will fail with ENAMETOOLONG (at least on Linux), causing us to call
into die_errno and exit.
2. The overflow relies on us trying to move a very deep hierarchy out
of the way, but I could not convince git to _create_ such a
hierarchy in the first place. Here I do it using relative paths and
recursion, but git generally tries to create paths from the top of
the repo using full pathnames. So it gets ENAMETOOLONG trying to
create the paths in the first place.
Of course somebody may be more clever than I am, or perhaps some systems
have a PATH_MAX that is not enforced by the kernel. It's still a
suspicious bit of code, and I think your patches are a strict
improvement. Besides fixing this potential problem, I notice that we
currently put 4096 bytes on the stack for a recursive function. Removing
"a/a/a..." can put up to 8M on the stack, which might be too much on
some systems (besides just being silly and wasteful).
-Peff
prev parent reply other threads:[~2014-03-13 13:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-13 9:19 [PATCH 0/2] Fix possible buffer overflow in remove_subtree() Michael Haggerty
2014-03-13 9:19 ` [PATCH 1/2] checkout_entry(): use the strbuf throughout the function Michael Haggerty
2014-03-13 11:22 ` Duy Nguyen
2014-03-13 9:19 ` [PATCH 2/2] entry.c: fix possible buffer overflow in remove_subtree() Michael Haggerty
2014-03-13 11:29 ` Duy Nguyen
2014-03-13 13:44 ` Jeff King [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140313134409.GA22046@sigill.intra.peff.net \
--to=peff@peff.net \
--cc==?utf-8?B?Tmd1eeG7hW4gVGjDoWkgTmfhu41jIER1eSA8cGNsb3Vkc0BnbWFpbC5jb20+?=@vger.kernel.org \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=mhagger@alum.mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).