From: Jeff King <peff@peff.net>
To: Luat Nguyen <root@l4w.io>
Cc: git@vger.kernel.org
Subject: [PATCH 1/3] ewah_read_mmap: bounds-check mmap reads
Date: Thu, 14 Jun 2018 23:31:13 -0400 [thread overview]
Message-ID: <20180615033112.GA20390@sigill.intra.peff.net> (raw)
In-Reply-To: <20180615032850.GA23241@sigill.intra.peff.net>
The on-disk ewah format tells us how big the ewah data is,
and we blindly read that much from the buffer without
considering whether the mmap'd data is long enough, which
can lead to out-of-bound reads.
Let's make sure we have data available before reading it,
both for the ewah header/footer as well as for the bit data
itself. In particular:
- keep our ptr/len pair in sync as we move through the
buffer, and check it before each read
- check the size for integer overflow (this should be
impossible on 64-bit, as the size is given as a 32-bit
count of 8-byte words, but is possible on a 32-bit
system)
- return the number of bytes read as an ssize_t instead of
an int, again to prevent integer overflow
- compute the return value using a pointer difference;
this should yield the same result as the existing code,
but makes it more obvious that we got our computations
right
The included test is far from comprehensive, as it just
picks a static point at which to truncate the generated
bitmap. But in practice this will hit in the middle of an
ewah and make sure we're at least exercising this code.
Reported-by: Luat Nguyen <root@l4w.io>
Signed-off-by: Jeff King <peff@peff.net>
---
ewah/ewah_io.c | 25 +++++++++++++++++++++----
ewah/ewok.h | 2 +-
t/t5310-pack-bitmaps.sh | 13 +++++++++++++
3 files changed, 35 insertions(+), 5 deletions(-)
diff --git a/ewah/ewah_io.c b/ewah/ewah_io.c
index bed1994551..33c08c40f8 100644
--- a/ewah/ewah_io.c
+++ b/ewah/ewah_io.c
@@ -122,16 +122,23 @@ int ewah_serialize_strbuf(struct ewah_bitmap *self, struct strbuf *sb)
return ewah_serialize_to(self, write_strbuf, sb);
}
-int ewah_read_mmap(struct ewah_bitmap *self, const void *map, size_t len)
+ssize_t ewah_read_mmap(struct ewah_bitmap *self, const void *map, size_t len)
{
const uint8_t *ptr = map;
+ size_t data_len;
size_t i;
+ if (len < sizeof(uint32_t))
+ return error("corrupt ewah bitmap: eof before bit size");
self->bit_size = get_be32(ptr);
ptr += sizeof(uint32_t);
+ len -= sizeof(uint32_t);
+ if (len < sizeof(uint32_t))
+ return error("corrupt ewah bitmap: eof before length");
self->buffer_size = self->alloc_size = get_be32(ptr);
ptr += sizeof(uint32_t);
+ len -= sizeof(uint32_t);
REALLOC_ARRAY(self->buffer, self->alloc_size);
@@ -141,15 +148,25 @@ int ewah_read_mmap(struct ewah_bitmap *self, const void *map, size_t len)
* the endianness conversion in a separate pass to ensure
* we're loading 8-byte aligned words.
*/
- memcpy(self->buffer, ptr, self->buffer_size * sizeof(eword_t));
- ptr += self->buffer_size * sizeof(eword_t);
+ data_len = st_mult(self->buffer_size, sizeof(eword_t));
+ if (len < data_len)
+ return error("corrupt ewah bitmap: eof in data "
+ "(%"PRIuMAX" bytes short)",
+ (uintmax_t)(data_len - len));
+ memcpy(self->buffer, ptr, data_len);
+ ptr += data_len;
+ len -= data_len;
for (i = 0; i < self->buffer_size; ++i)
self->buffer[i] = ntohll(self->buffer[i]);
+ if (len < sizeof(uint32_t))
+ return error("corrupt ewah bitmap: eof before rlw");
self->rlw = self->buffer + get_be32(ptr);
+ ptr += sizeof(uint32_t);
+ len -= sizeof(uint32_t);
- return (3 * 4) + (self->buffer_size * 8);
+ return ptr - (const uint8_t *)map;
}
int ewah_deserialize(struct ewah_bitmap *self, int fd)
diff --git a/ewah/ewok.h b/ewah/ewok.h
index dc43d05b64..357fd93c84 100644
--- a/ewah/ewok.h
+++ b/ewah/ewok.h
@@ -91,7 +91,7 @@ int ewah_serialize_native(struct ewah_bitmap *self, int fd);
int ewah_serialize_strbuf(struct ewah_bitmap *self, struct strbuf *);
int ewah_deserialize(struct ewah_bitmap *self, int fd);
-int ewah_read_mmap(struct ewah_bitmap *self, const void *map, size_t len);
+ssize_t ewah_read_mmap(struct ewah_bitmap *self, const void *map, size_t len);
uint32_t ewah_checksum(struct ewah_bitmap *self);
diff --git a/t/t5310-pack-bitmaps.sh b/t/t5310-pack-bitmaps.sh
index 423c0a475f..237ee6e5fc 100755
--- a/t/t5310-pack-bitmaps.sh
+++ b/t/t5310-pack-bitmaps.sh
@@ -331,4 +331,17 @@ test_expect_success 'pack reuse respects --incremental' '
git show-index <empty.idx >actual &&
test_cmp expect actual
'
+
+test_expect_success 'truncated bitmap fails gracefully' '
+ git repack -ad &&
+ git rev-list --use-bitmap-index --count --all >expect &&
+ bitmap=$(ls .git/objects/pack/*.bitmap) &&
+ test_when_finished "rm -f $bitmap" &&
+ head -c 512 <$bitmap >$bitmap.tmp &&
+ mv $bitmap.tmp $bitmap &&
+ git rev-list --use-bitmap-index --count --all >actual 2>stderr &&
+ test_cmp expect actual &&
+ test_i18ngrep corrupt stderr
+'
+
test_done
--
2.18.0.rc2.534.g53d976aeb8
next prev parent reply other threads:[~2018-06-15 3:31 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-14 22:59 security: potential out-of-bound read at ewah_io.c |ewah_read_mmap| Luat Nguyen
2018-06-15 3:28 ` Jeff King
2018-06-15 3:31 ` Jeff King [this message]
2018-06-15 9:14 ` [PATCH 1/3] ewah_read_mmap: bounds-check mmap reads SZEDER Gábor
2018-06-15 16:20 ` Junio C Hamano
2018-06-15 17:10 ` SZEDER Gábor
2018-06-15 17:21 ` Jeff King
2018-06-15 19:42 ` Junio C Hamano
2018-06-15 17:05 ` Junio C Hamano
2018-06-15 17:26 ` Jeff King
2018-06-15 19:44 ` Junio C Hamano
2018-06-16 14:35 ` SZEDER Gábor
2018-06-16 19:14 ` Jeff King
2018-06-15 3:31 ` [PATCH 2/3] ewah: drop ewah_deserialize function Jeff King
2018-06-15 3:32 ` [PATCH 3/3] ewah: drop ewah_serialize_native function Jeff King
2018-06-15 13:56 ` Ramsay Jones
2018-06-15 14:07 ` Ramsay Jones
2018-06-15 14:30 ` [PATCH 0/8] Delete unused methods in EWAH bitmap Derrick Stolee
2018-06-15 14:30 ` [PATCH 1/8] ewah/bitmap.c: delete unused 'bitmap_clear()' Derrick Stolee
2018-06-15 14:46 ` Ramsay Jones
2018-06-15 15:11 ` Derrick Stolee
2018-06-15 14:30 ` [PATCH 2/8] ewah/bitmap.c: delete unused 'bitmap_each_bit()' Derrick Stolee
2018-06-15 15:03 ` Ramsay Jones
2018-06-15 14:30 ` [PATCH 3/8] ewah_bitmap: delete unused 'ewah_and()' Derrick Stolee
2018-06-15 14:30 ` [PATCH 4/8] ewah_bitmap: delete unused 'ewah_and_not()' Derrick Stolee
2018-06-15 14:30 ` [PATCH 5/8] ewah_bitmap: delete unused 'ewah_not()' Derrick Stolee
2018-06-15 14:30 ` [PATCH 6/8] ewah_bitmap: delete unused 'ewah_or()' Derrick Stolee
2018-06-15 14:30 ` [PATCH 7/8] ewah_io: delete unused 'ewah_serialize()' Derrick Stolee
2018-06-15 14:30 ` [PATCH 8/8] ewah_io: delete unused 'ewah_serialize_native()' Derrick Stolee
2018-06-15 15:01 ` Ramsay Jones
2018-06-15 15:10 ` Derrick Stolee
2018-06-15 14:35 ` [PATCH 0/8] Delete unused methods in EWAH bitmap Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 0/7] " Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 1/7] ewah/bitmap.c: delete unused 'bitmap_clear()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 2/7] ewah/bitmap.c: delete unused 'bitmap_each_bit()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 3/7] ewah_bitmap: delete unused 'ewah_and()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 4/7] ewah_bitmap: delete unused 'ewah_and_not()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 5/7] ewah_bitmap: delete unused 'ewah_not()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 6/7] ewah_bitmap: delete unused 'ewah_or()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 7/7] ewah_io: delete unused 'ewah_serialize()' Derrick Stolee
2018-06-15 18:51 ` [PATCH v2 0/7] Delete unused methods in EWAH bitmap Junio C Hamano
2018-06-15 18:56 ` Derrick Stolee
2018-06-15 19:48 ` Junio C Hamano
2018-06-15 20:35 ` Jeff King
2018-06-15 14:15 ` [PATCH 3/3] ewah: drop ewah_serialize_native function Derrick Stolee
2018-06-15 17:51 ` Jeff King
2018-06-15 18:33 ` Junio C Hamano
2018-06-15 18:46 ` Jeff King
2018-06-15 3:44 ` [PATCH 4/3] ewah: adjust callers of ewah_read_mmap() Jeff King
2018-06-15 11:23 ` Derrick Stolee
2018-06-15 16:41 ` Junio C Hamano
2018-06-15 17:31 ` Jeff King
2018-06-15 18:23 ` Derrick Stolee
2018-06-15 20:38 ` Jeff King
2018-06-15 17:12 ` Junio C Hamano
2018-06-15 16:11 ` security: potential out-of-bound read at ewah_io.c |ewah_read_mmap| Junio C Hamano
2018-06-19 19:00 ` Dyer, Edwin
2018-06-19 19:56 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180615033112.GA20390@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=root@l4w.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).