use-after-free leads to git-blame writing garbage in error message

use-after-free leads to git-blame writing garbage in error message

[Mike Hommey]

Symptoms:
  $ git blame HEAD -- foo
  fatal: no such path foo in <random garbage>

Expected output:
  $ git blame HEAD -- foo
  fatal: no such path foo in HEAD

Bisect says this was introduced in 1da1e07c835e900337714cfad6c32a8dc0b36ac3

valgrind output looks like this:
==4738== Memcheck, a memory error detector
==4738== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==4738== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==4738== Command: ./git-blame HEAD -- foo
==4738== 
==4738== Invalid read of size 1
==4738==    at 0x58B6F00: vfprintf (vfprintf.c:1636)
==4738==    by 0x58E1298: vsnprintf (vsnprintf.c:119)
==4738==    by 0x5107ED: vreportf (usage.c:12)
==4738==    by 0x510823: die_builtin (usage.c:36)
==4738==    by 0x510A82: die (usage.c:103)
==4738==    by 0x41318F: cmd_blame (blame.c:2716)
==4738==    by 0x405B52: run_builtin (git.c:351)
==4738==    by 0x405B52: handle_builtin (git.c:530)
==4738==    by 0x404C69: main (git.c:653)
==4738==  Address 0x5f042d0 is 0 bytes inside a block of size 5 free'd
==4738==    at 0x4C29E90: free (vg_replace_malloc.c:473)
==4738==    by 0x4C1621: object_array_release_entry.isra.0 (object.c:354)
==4738==    by 0x4C1F73: object_array_clear (object.c:380)
==4738==    by 0x4E8E05: prepare_revision_walk (revision.c:2739)
==4738==    by 0x41153E: cmd_blame (blame.c:2705)
==4738==    by 0x405B52: run_builtin (git.c:351)
==4738==    by 0x405B52: handle_builtin (git.c:530)
==4738==    by 0x404C69: main (git.c:653)
==4738== 
==4738== Invalid read of size 1
==4738==    at 0x58E50D0: _IO_default_xsputn (genops.c:475)
==4738==    by 0x58B6EC1: vfprintf (vfprintf.c:1636)
==4738==    by 0x58E1298: vsnprintf (vsnprintf.c:119)
==4738==    by 0x5107ED: vreportf (usage.c:12)
==4738==    by 0x510823: die_builtin (usage.c:36)
==4738==    by 0x510A82: die (usage.c:103)
==4738==    by 0x41318F: cmd_blame (blame.c:2716)
==4738==    by 0x405B52: run_builtin (git.c:351)
==4738==    by 0x405B52: handle_builtin (git.c:530)
==4738==    by 0x404C69: main (git.c:653)
==4738==  Address 0x5f042d0 is 0 bytes inside a block of size 5 free'd
==4738==    at 0x4C29E90: free (vg_replace_malloc.c:473)
==4738==    by 0x4C1621: object_array_release_entry.isra.0 (object.c:354)
==4738==    by 0x4C1F73: object_array_clear (object.c:380)
==4738==    by 0x4E8E05: prepare_revision_walk (revision.c:2739)
==4738==    by 0x41153E: cmd_blame (blame.c:2705)
==4738==    by 0x405B52: run_builtin (git.c:351)
==4738==    by 0x405B52: handle_builtin (git.c:530)
==4738==    by 0x404C69: main (git.c:653)
==4738== 
==4738== Invalid read of size 1
==4738==    at 0x58E50DE: _IO_default_xsputn (genops.c:474)
==4738==    by 0x58B6EC1: vfprintf (vfprintf.c:1636)
==4738==    by 0x58E1298: vsnprintf (vsnprintf.c:119)
==4738==    by 0x5107ED: vreportf (usage.c:12)
==4738==    by 0x510823: die_builtin (usage.c:36)
==4738==    by 0x510A82: die (usage.c:103)
==4738==    by 0x41318F: cmd_blame (blame.c:2716)
==4738==    by 0x405B52: run_builtin (git.c:351)
==4738==    by 0x405B52: handle_builtin (git.c:530)
==4738==    by 0x404C69: main (git.c:653)
==4738==  Address 0x5f042d2 is 2 bytes inside a block of size 5 free'd
==4738==    at 0x4C29E90: free (vg_replace_malloc.c:473)
==4738==    by 0x4C1621: object_array_release_entry.isra.0 (object.c:354)
==4738==    by 0x4C1F73: object_array_clear (object.c:380)
==4738==    by 0x4E8E05: prepare_revision_walk (revision.c:2739)
==4738==    by 0x41153E: cmd_blame (blame.c:2705)
==4738==    by 0x405B52: run_builtin (git.c:351)
==4738==    by 0x405B52: handle_builtin (git.c:530)
==4738==    by 0x404C69: main (git.c:653)
==4738== 
fatal: no such path foo in HEAD
==4738== 
==4738== HEAP SUMMARY:
==4738==     in use at exit: 733,417 bytes in 807 blocks
==4738==   total heap usage: 1,505 allocs, 698 frees, 915,428 bytes allocated
==4738== 
==4738== LEAK SUMMARY:
==4738==    definitely lost: 0 bytes in 0 blocks
==4738==    indirectly lost: 0 bytes in 0 blocks
==4738==      possibly lost: 0 bytes in 0 blocks
==4738==    still reachable: 733,417 bytes in 807 blocks
==4738==         suppressed: 0 bytes in 0 blocks
==4738== Rerun with --leak-check=full to see details of leaked memory
==4738== 
==4738== For counts of detected and suppressed errors, rerun with: -v
==4738== ERROR SUMMARY: 9 errors from 3 contexts (suppressed: 0 from 0)

Cheers,

Mike

Re: use-after-free leads to git-blame writing garbage in error message

[Lukas Fleischer]

On Tue, 03 Feb 2015 at 10:17:15, Mike Hommey wrote:
> Symptoms:
>   $ git blame HEAD -- foo
>   fatal: no such path foo in <random garbage>
> 
> Expected output:
>   $ git blame HEAD -- foo
>   fatal: no such path foo in HEAD
> 
> Bisect says this was introduced in 1da1e07c835e900337714cfad6c32a8dc0b36ac3
> [...]

This should be fixed by commit a46442f (blame.c: fix garbled error
message, 2015-01-12) which is in next.

Re: use-after-free leads to git-blame writing garbage in error message

[Mike Hommey]

On Tue, Feb 03, 2015 at 10:32:45AM +0100, Lukas Fleischer wrote:
> On Tue, 03 Feb 2015 at 10:17:15, Mike Hommey wrote:
> > Symptoms: $ git blame HEAD -- foo fatal: no such path foo in <random
> > garbage>
> > 
> > Expected output: $ git blame HEAD -- foo fatal: no such path foo in
> > HEAD
> > 
> > Bisect says this was introduced in
> > 1da1e07c835e900337714cfad6c32a8dc0b36ac3 [...]
> 
> This should be fixed by commit a46442f (blame.c: fix garbled error
> message, 2015-01-12) which is in next.

Indeed it is, I should have checked next.

Thanks.

Mike