From: Jeff King <peff@peff.net>
To: Jann Horn <jannh@google.com>
Cc: git@vger.kernel.org, gitster@pobox.com,
"Nguyễn Thái Ngọc Duy" <pclouds@gmail.com>,
"Johannes Schindelin" <johannes.schindelin@gmx.de>,
"Nicolas Pitre" <nico@cam.org>
Subject: Re: [PATCH 1/3] patch-delta: fix oob read
Date: Wed, 29 Aug 2018 18:18:38 -0400 [thread overview]
Message-ID: <20180829221838.GA10400@sigill.intra.peff.net> (raw)
In-Reply-To: <20180829212025.GB29880@sigill.intra.peff.net>
On Wed, Aug 29, 2018 at 05:20:25PM -0400, Jeff King wrote:
> Nice catch. The patch looks good to me, but just to lay out my thought
> process looking for other related problems:
>
> We have two types of instructions:
>
> 1. Take N bytes from position P within the source.
>
> 2. Take the next N bytes from the delta stream.
>
> In both cases we need to check that:
>
> a. We have enough space in the destination buffer.
>
> b. We have enough source bytes.
Actually, there's one other case to consider: reading the actual offset
for a copy operation. E.g., if we see '0x80' at the end of the delta,
I think we'd read garbage into cp_offset? That would typically generate
nonsense that would be caught by the other checks, but I think it's
possible that the memory could happen to produce a valid copy
instruction from the base, leading to a confusing result (though it
would still need to match the expected result size).
Thinking on it more, one other interesting tidbit here: in actual git
code (i.e., not test-delta), we'd always be reading from an mmap'd
packfile. And we're guaranteed to have at least 20 trailing bytes in the
mmap due to the pack format (which is enforced when we parse the pack).
So I don't think this can ever read truly out-of-bounds memory, though
obviously it's something we should fix regardless.
-Peff
next prev parent reply other threads:[~2018-08-29 22:18 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-29 20:58 [PATCH 1/3] patch-delta: fix oob read Jann Horn
2018-08-29 20:58 ` [PATCH 2/3] t/helper/test-delta: segfault on OOB access Jann Horn
2018-08-29 21:34 ` Jeff King
2018-08-29 21:40 ` Jann Horn
2018-08-29 21:46 ` Jeff King
2018-08-29 21:48 ` Jeff King
2018-08-29 20:58 ` [PATCH 3/3] t5303: add tests for corrupted deltas Jann Horn
2018-08-29 22:03 ` Jeff King
2018-08-29 22:30 ` Jeff King
2018-08-29 21:20 ` [PATCH 1/3] patch-delta: fix oob read Jeff King
2018-08-29 22:18 ` Jeff King [this message]
2018-08-30 7:05 ` [PATCH 0/5] handle corruption in patch-delta Jeff King
2018-08-30 7:07 ` [PATCH 1/5] test-delta: read input into a heap buffer Jeff King
2018-08-30 7:09 ` [PATCH 2/5] t5303: test some corrupt deltas Jeff King
2018-08-30 17:38 ` Junio C Hamano
2018-08-30 18:42 ` Jeff King
2018-08-30 18:44 ` Jeff King
2018-08-30 18:50 ` Junio C Hamano
2018-08-30 19:13 ` Jeff King
2018-08-31 9:58 ` Johannes Schindelin
2018-08-31 15:33 ` Junio C Hamano
2018-08-31 19:47 ` Jeff King
2018-08-31 21:39 ` Junio C Hamano
2018-08-31 21:14 ` Johannes Schindelin
2018-08-31 21:41 ` Jeff King
2018-08-31 21:55 ` Junio C Hamano
2018-08-30 7:09 ` [PATCH 3/5] patch-delta: fix oob read Jeff King
2018-08-30 7:10 ` [PATCH 4/5] patch-delta: consistently report corruption Jeff King
2018-08-30 7:12 ` [PATCH 5/5] patch-delta: handle truncated copy parameters Jeff King
2018-08-30 13:25 ` [PATCH 0/5] handle corruption in patch-delta Jann Horn
2018-08-30 15:23 ` Nicolas Pitre
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180829221838.GA10400@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jannh@google.com \
--cc=johannes.schindelin@gmx.de \
--cc=nico@cam.org \
--cc=pclouds@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).