* [PATCH 1/2] hash: initialize context before cloning
2026-07-19 1:08 [PATCH 0/2] Rust hash cleanups brian m. carlson
@ 2026-07-19 1:08 ` brian m. carlson
2026-07-19 1:08 ` [PATCH 2/2] rust: discard hash context when finished brian m. carlson
2026-07-19 8:07 ` [PATCH 0/2] Rust hash cleanups Jeff King
2 siblings, 0 replies; 4+ messages in thread
From: brian m. carlson @ 2026-07-19 1:08 UTC (permalink / raw)
To: git; +Cc: Junio C Hamano, Jeff King, Patrick Steinhardt
Our C-based clone helper requires that the context be initialized, but
we neglect to do that in our Clone implementation for CryptoHasher.
This does not matter when using our default block SHA-256
implementation, but it does cause a crash when using OpenSSL as the
backend. Fix this by properly initializing the context before cloning
into it.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
---
src/hash.rs | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/hash.rs b/src/hash.rs
index dea2998de4..4d14e4b4fa 100644
--- a/src/hash.rs
+++ b/src/hash.rs
@@ -181,7 +181,10 @@ impl CryptoDigest for CryptoHasher {
impl Clone for CryptoHasher {
fn clone(&self) -> Self {
let ctx = unsafe { c::git_hash_alloc() };
- unsafe { c::git_hash_clone(ctx, self.ctx) };
+ unsafe {
+ c::git_hash_init(ctx, self.algo.hash_algo_ptr());
+ c::git_hash_clone(ctx, self.ctx)
+ };
Self {
algo: self.algo,
ctx,
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH 2/2] rust: discard hash context when finished
2026-07-19 1:08 [PATCH 0/2] Rust hash cleanups brian m. carlson
2026-07-19 1:08 ` [PATCH 1/2] hash: initialize context before cloning brian m. carlson
@ 2026-07-19 1:08 ` brian m. carlson
2026-07-19 8:07 ` [PATCH 0/2] Rust hash cleanups Jeff King
2 siblings, 0 replies; 4+ messages in thread
From: brian m. carlson @ 2026-07-19 1:08 UTC (permalink / raw)
To: git; +Cc: Junio C Hamano, Jeff King, Patrick Steinhardt
When we allocate a context but then abandon it, we never discard it,
which means that the underlying crypto library context may leak. This
doesn't happen with our default block code, but it may with OpenSSL.
Note that we do call git_hash_free, which frees the memory we called
from git_hash_alloc, but doesn't discard the underlying context itself.
This can be seen with the following command when compiling with OpenSSL
and running with nightly Rust:
RUSTFLAGS='-Z sanitizer=leak' cargo test
Discard the context in our context handler. Note that it is fine to do
so even after finalizing the context, so our final functions which take
self instead of &mut self will not mishandle memory.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
---
src/hash.rs | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/hash.rs b/src/hash.rs
index 4d14e4b4fa..e1f2d31fc3 100644
--- a/src/hash.rs
+++ b/src/hash.rs
@@ -194,7 +194,10 @@ impl Clone for CryptoHasher {
impl Drop for CryptoHasher {
fn drop(&mut self) {
- unsafe { c::git_hash_free(self.ctx) };
+ unsafe {
+ c::git_hash_discard(self.ctx);
+ c::git_hash_free(self.ctx);
+ };
}
}
@@ -356,6 +359,7 @@ pub mod c {
pub fn git_hash_clone(dst: *mut c_void, src: *const c_void);
pub fn git_hash_update(ctx: *mut c_void, inp: *const c_void, len: usize);
pub fn git_hash_final(hash: *mut u8, ctx: *mut c_void);
+ pub fn git_hash_discard(ctx: *mut c_void);
pub fn git_hash_final_oid(hash: *mut c_void, ctx: *mut c_void);
}
}
@@ -450,6 +454,7 @@ mod tests {
h.update(&data[2..]);
let h2 = h.clone();
+ let h3 = h2.clone();
let actual_oid = h.into_oid();
assert_eq!(**oid, actual_oid);
@@ -463,6 +468,7 @@ mod tests {
let actual_oid = h.into_oid();
assert_eq!(**oid, actual_oid);
+ std::mem::drop(h3);
}
}
}
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH 0/2] Rust hash cleanups
2026-07-19 1:08 [PATCH 0/2] Rust hash cleanups brian m. carlson
2026-07-19 1:08 ` [PATCH 1/2] hash: initialize context before cloning brian m. carlson
2026-07-19 1:08 ` [PATCH 2/2] rust: discard hash context when finished brian m. carlson
@ 2026-07-19 8:07 ` Jeff King
2 siblings, 0 replies; 4+ messages in thread
From: Jeff King @ 2026-07-19 8:07 UTC (permalink / raw)
To: brian m. carlson; +Cc: git, Junio C Hamano, Patrick Steinhardt
On Sun, Jul 19, 2026 at 01:08:40AM +0000, brian m. carlson wrote:
> Peff recently sent out a series to fix several memory leaks with our
> hashing code when not using the default block algorithm. This series
> follows up with a few fixes to our Rust hash code, which calls the C
> code, to fix various memory problems.
Both of these look good to me (modulo my almost-zero knowledge of the
Rust bits).
I was worried at first that I had introduced new problems with my fixes,
but I think these are both pre-existing issues (really just variants of
the cleanups I did in the C code).
For patch 1, an alternative is to switch git_hash_clone() to _not_
require initialization. But it introduces the leak problem in the
opposite direction. E.g., hashfile_truncate() wants to overwrite
existing state, so it would now need to discard() before cloning. I
doubt it's worth the effort or risk of regression to save the tiny bit
of effort spent on a few init-then-overwrite cases.
So the approach taken here makes sense (and obviously this is just
following the C code's lead anyway).
-Peff
^ permalink raw reply [flat|nested] 4+ messages in thread