From: Jeff King <peff@peff.net>
To: Luat Nguyen <root@l4w.io>
Cc: git@vger.kernel.org
Subject: Re: security: potential out-of-bound read at ewah_io.c |ewah_read_mmap|
Date: Thu, 14 Jun 2018 23:28:51 -0400 [thread overview]
Message-ID: <20180615032850.GA23241@sigill.intra.peff.net> (raw)
In-Reply-To: <2067D731-C415-4D19-8CDA-90D7DC638397@l4w.io>
On Fri, Jun 15, 2018 at 06:59:43AM +0800, Luat Nguyen wrote:
> Recently, I’ve found a security issue related to out-of-bound read at function named `ewah_read_mmap`
Thanks, this is definitely a bug worth addressing. But note...
> Assume that, an attacker can put malicious `./git/index` into a repo by somehow.
We generally don't consider .git/index (or pack .bitmap files, which
also use this implementation) to be a major part of Git's attack
surface, since they are generated locally. And if you can write to
somebody's .git directory, there are already much easier ways to execute
arbitrary code.
> Since there is lack of check whether the remaining size of `ptr`is
> equal to `buffer_size` or not.
Yep. We also fail to check if we even have enough bytes to read the
buffer_size in the first place.
Here are some patches. The first one fixes the problem you found. The
second one drops some dead code that has a related problem. And the
third just drops some dead code that I noticed in the same file. :)
[1/3]: ewah_read_mmap: bounds-check mmap reads
[2/3]: ewah: drop ewah_deserialize function
[3/3]: ewah: drop ewah_serialize_native function
ewah/ewah_io.c | 106 ++++++++--------------------------------
ewah/ewok.h | 4 +-
t/t5310-pack-bitmaps.sh | 13 +++++
3 files changed, 35 insertions(+), 88 deletions(-)
-Peff
next prev parent reply other threads:[~2018-06-15 3:28 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-14 22:59 security: potential out-of-bound read at ewah_io.c |ewah_read_mmap| Luat Nguyen
2018-06-15 3:28 ` Jeff King [this message]
2018-06-15 3:31 ` [PATCH 1/3] ewah_read_mmap: bounds-check mmap reads Jeff King
2018-06-15 9:14 ` SZEDER Gábor
2018-06-15 16:20 ` Junio C Hamano
2018-06-15 17:10 ` SZEDER Gábor
2018-06-15 17:21 ` Jeff King
2018-06-15 19:42 ` Junio C Hamano
2018-06-15 17:05 ` Junio C Hamano
2018-06-15 17:26 ` Jeff King
2018-06-15 19:44 ` Junio C Hamano
2018-06-16 14:35 ` SZEDER Gábor
2018-06-16 19:14 ` Jeff King
2018-06-15 3:31 ` [PATCH 2/3] ewah: drop ewah_deserialize function Jeff King
2018-06-15 3:32 ` [PATCH 3/3] ewah: drop ewah_serialize_native function Jeff King
2018-06-15 13:56 ` Ramsay Jones
2018-06-15 14:07 ` Ramsay Jones
2018-06-15 14:30 ` [PATCH 0/8] Delete unused methods in EWAH bitmap Derrick Stolee
2018-06-15 14:30 ` [PATCH 1/8] ewah/bitmap.c: delete unused 'bitmap_clear()' Derrick Stolee
2018-06-15 14:46 ` Ramsay Jones
2018-06-15 15:11 ` Derrick Stolee
2018-06-15 14:30 ` [PATCH 2/8] ewah/bitmap.c: delete unused 'bitmap_each_bit()' Derrick Stolee
2018-06-15 15:03 ` Ramsay Jones
2018-06-15 14:30 ` [PATCH 3/8] ewah_bitmap: delete unused 'ewah_and()' Derrick Stolee
2018-06-15 14:30 ` [PATCH 4/8] ewah_bitmap: delete unused 'ewah_and_not()' Derrick Stolee
2018-06-15 14:30 ` [PATCH 5/8] ewah_bitmap: delete unused 'ewah_not()' Derrick Stolee
2018-06-15 14:30 ` [PATCH 6/8] ewah_bitmap: delete unused 'ewah_or()' Derrick Stolee
2018-06-15 14:30 ` [PATCH 7/8] ewah_io: delete unused 'ewah_serialize()' Derrick Stolee
2018-06-15 14:30 ` [PATCH 8/8] ewah_io: delete unused 'ewah_serialize_native()' Derrick Stolee
2018-06-15 15:01 ` Ramsay Jones
2018-06-15 15:10 ` Derrick Stolee
2018-06-15 14:35 ` [PATCH 0/8] Delete unused methods in EWAH bitmap Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 0/7] " Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 1/7] ewah/bitmap.c: delete unused 'bitmap_clear()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 2/7] ewah/bitmap.c: delete unused 'bitmap_each_bit()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 3/7] ewah_bitmap: delete unused 'ewah_and()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 4/7] ewah_bitmap: delete unused 'ewah_and_not()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 5/7] ewah_bitmap: delete unused 'ewah_not()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 6/7] ewah_bitmap: delete unused 'ewah_or()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 7/7] ewah_io: delete unused 'ewah_serialize()' Derrick Stolee
2018-06-15 18:51 ` [PATCH v2 0/7] Delete unused methods in EWAH bitmap Junio C Hamano
2018-06-15 18:56 ` Derrick Stolee
2018-06-15 19:48 ` Junio C Hamano
2018-06-15 20:35 ` Jeff King
2018-06-15 14:15 ` [PATCH 3/3] ewah: drop ewah_serialize_native function Derrick Stolee
2018-06-15 17:51 ` Jeff King
2018-06-15 18:33 ` Junio C Hamano
2018-06-15 18:46 ` Jeff King
2018-06-15 3:44 ` [PATCH 4/3] ewah: adjust callers of ewah_read_mmap() Jeff King
2018-06-15 11:23 ` Derrick Stolee
2018-06-15 16:41 ` Junio C Hamano
2018-06-15 17:31 ` Jeff King
2018-06-15 18:23 ` Derrick Stolee
2018-06-15 20:38 ` Jeff King
2018-06-15 17:12 ` Junio C Hamano
2018-06-15 16:11 ` security: potential out-of-bound read at ewah_io.c |ewah_read_mmap| Junio C Hamano
2018-06-19 19:00 ` Dyer, Edwin
2018-06-19 19:56 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180615032850.GA23241@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=root@l4w.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).