From: Mike Hommey <mh@glandium.org>
To: git@vger.kernel.org
Cc: Jeff King <peff@peff.net>
Subject: use-after-free leads to git-blame writing garbage in error message
Date: Tue, 3 Feb 2015 18:17:15 +0900 [thread overview]
Message-ID: <20150203091715.GA25445@glandium.org> (raw)
Symptoms:
$ git blame HEAD -- foo
fatal: no such path foo in <random garbage>
Expected output:
$ git blame HEAD -- foo
fatal: no such path foo in HEAD
Bisect says this was introduced in 1da1e07c835e900337714cfad6c32a8dc0b36ac3
valgrind output looks like this:
==4738== Memcheck, a memory error detector
==4738== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==4738== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==4738== Command: ./git-blame HEAD -- foo
==4738==
==4738== Invalid read of size 1
==4738== at 0x58B6F00: vfprintf (vfprintf.c:1636)
==4738== by 0x58E1298: vsnprintf (vsnprintf.c:119)
==4738== by 0x5107ED: vreportf (usage.c:12)
==4738== by 0x510823: die_builtin (usage.c:36)
==4738== by 0x510A82: die (usage.c:103)
==4738== by 0x41318F: cmd_blame (blame.c:2716)
==4738== by 0x405B52: run_builtin (git.c:351)
==4738== by 0x405B52: handle_builtin (git.c:530)
==4738== by 0x404C69: main (git.c:653)
==4738== Address 0x5f042d0 is 0 bytes inside a block of size 5 free'd
==4738== at 0x4C29E90: free (vg_replace_malloc.c:473)
==4738== by 0x4C1621: object_array_release_entry.isra.0 (object.c:354)
==4738== by 0x4C1F73: object_array_clear (object.c:380)
==4738== by 0x4E8E05: prepare_revision_walk (revision.c:2739)
==4738== by 0x41153E: cmd_blame (blame.c:2705)
==4738== by 0x405B52: run_builtin (git.c:351)
==4738== by 0x405B52: handle_builtin (git.c:530)
==4738== by 0x404C69: main (git.c:653)
==4738==
==4738== Invalid read of size 1
==4738== at 0x58E50D0: _IO_default_xsputn (genops.c:475)
==4738== by 0x58B6EC1: vfprintf (vfprintf.c:1636)
==4738== by 0x58E1298: vsnprintf (vsnprintf.c:119)
==4738== by 0x5107ED: vreportf (usage.c:12)
==4738== by 0x510823: die_builtin (usage.c:36)
==4738== by 0x510A82: die (usage.c:103)
==4738== by 0x41318F: cmd_blame (blame.c:2716)
==4738== by 0x405B52: run_builtin (git.c:351)
==4738== by 0x405B52: handle_builtin (git.c:530)
==4738== by 0x404C69: main (git.c:653)
==4738== Address 0x5f042d0 is 0 bytes inside a block of size 5 free'd
==4738== at 0x4C29E90: free (vg_replace_malloc.c:473)
==4738== by 0x4C1621: object_array_release_entry.isra.0 (object.c:354)
==4738== by 0x4C1F73: object_array_clear (object.c:380)
==4738== by 0x4E8E05: prepare_revision_walk (revision.c:2739)
==4738== by 0x41153E: cmd_blame (blame.c:2705)
==4738== by 0x405B52: run_builtin (git.c:351)
==4738== by 0x405B52: handle_builtin (git.c:530)
==4738== by 0x404C69: main (git.c:653)
==4738==
==4738== Invalid read of size 1
==4738== at 0x58E50DE: _IO_default_xsputn (genops.c:474)
==4738== by 0x58B6EC1: vfprintf (vfprintf.c:1636)
==4738== by 0x58E1298: vsnprintf (vsnprintf.c:119)
==4738== by 0x5107ED: vreportf (usage.c:12)
==4738== by 0x510823: die_builtin (usage.c:36)
==4738== by 0x510A82: die (usage.c:103)
==4738== by 0x41318F: cmd_blame (blame.c:2716)
==4738== by 0x405B52: run_builtin (git.c:351)
==4738== by 0x405B52: handle_builtin (git.c:530)
==4738== by 0x404C69: main (git.c:653)
==4738== Address 0x5f042d2 is 2 bytes inside a block of size 5 free'd
==4738== at 0x4C29E90: free (vg_replace_malloc.c:473)
==4738== by 0x4C1621: object_array_release_entry.isra.0 (object.c:354)
==4738== by 0x4C1F73: object_array_clear (object.c:380)
==4738== by 0x4E8E05: prepare_revision_walk (revision.c:2739)
==4738== by 0x41153E: cmd_blame (blame.c:2705)
==4738== by 0x405B52: run_builtin (git.c:351)
==4738== by 0x405B52: handle_builtin (git.c:530)
==4738== by 0x404C69: main (git.c:653)
==4738==
fatal: no such path foo in HEAD
==4738==
==4738== HEAP SUMMARY:
==4738== in use at exit: 733,417 bytes in 807 blocks
==4738== total heap usage: 1,505 allocs, 698 frees, 915,428 bytes allocated
==4738==
==4738== LEAK SUMMARY:
==4738== definitely lost: 0 bytes in 0 blocks
==4738== indirectly lost: 0 bytes in 0 blocks
==4738== possibly lost: 0 bytes in 0 blocks
==4738== still reachable: 733,417 bytes in 807 blocks
==4738== suppressed: 0 bytes in 0 blocks
==4738== Rerun with --leak-check=full to see details of leaked memory
==4738==
==4738== For counts of detected and suppressed errors, rerun with: -v
==4738== ERROR SUMMARY: 9 errors from 3 contexts (suppressed: 0 from 0)
Cheers,
Mike
next reply other threads:[~2015-02-03 9:17 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-03 9:17 Mike Hommey [this message]
2015-02-03 9:32 ` use-after-free leads to git-blame writing garbage in error message Lukas Fleischer
2015-02-03 9:38 ` Mike Hommey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150203091715.GA25445@glandium.org \
--to=mh@glandium.org \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).