From: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
To: "René Scharfe" <l.s.r@web.de>
Cc: git@vger.kernel.org, "Junio C Hamano" <gitster@pobox.com>,
"Carlo Marcelo Arenas Belón" <carenas@gmail.com>,
"Han-Wen Nienhuys" <hanwen@google.com>
Subject: Re: [RFC PATCH 2/2] reftable: don't memset() a NULL from failed malloc()
Date: Fri, 15 Apr 2022 15:53:43 +0200 [thread overview]
Message-ID: <220415.86fsmebgds.gmgdl@evledraar.gmail.com> (raw)
In-Reply-To: <4321a9dd-bb82-e2fe-5449-395f998378c5@web.de>
On Fri, Apr 15 2022, René Scharfe wrote:
> Am 15.04.22 um 12:21 schrieb Ævar Arnfjörð Bjarmason:
>> Return NULL instead of possibly feeding a NULL to memset() in
>> reftable_calloc(). This issue was noted by GCC 12's -fanalyzer:
>>
>> reftable/publicbasics.c: In function ‘reftable_calloc’:
>> reftable/publicbasics.c:43:9: error: use of possibly-NULL ‘p’ where non-null expected [CWE-690] [-Werror=analyzer-possible-null-argument]
>> 43 | memset(p, 0, sz);
>> | ^~~~~~~~~~~~~~~~
>> [...]
>>
>> This bug has been with us ever since this code was added in
>> ef8a6c62687 (reftable: utility functions, 2021-10-07).
>
> Not sure it's a bug, or limited to this specific location. AFAICS it's
> more a general lack of handling of allocation failures in the reftable
> code. Perhaps it was a conscious decision to let the system deal with
> them via segfaults?
I think it's just buggy, it tries to deal with malloc returning NULL in
other contexts.
> When the code is used by Git eventually it should use xmalloc and
> xrealloc instead of calling malloc(3) and realloc(3) directly, to
> handle allocation failures explicitly, and to support GIT_ALLOC_LIMIT.
> This will calm down the analyzer and extend the safety to the rest of
> the reftable code, not just this memset call.
Yeah, its whole custom malloc handling should go away.
>>
>> Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
>> ---
>> reftable/publicbasics.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/reftable/publicbasics.c b/reftable/publicbasics.c
>> index 0ad7d5c0ff2..a18167f5ab7 100644
>> --- a/reftable/publicbasics.c
>> +++ b/reftable/publicbasics.c
>> @@ -40,6 +40,8 @@ void reftable_free(void *p)
>> void *reftable_calloc(size_t sz)
>> {
>> void *p = reftable_malloc(sz);
>> + if (!p)
>> + return NULL;
>> memset(p, 0, sz);
>
> This function is calloc(3) reimplemented, except it can't make use of
> pre-zero'd blocks of memory and doesn't multiply element size and count
> for the caller while checking for overflow, making it slower and harder
> to use securely. :-/
*nod*, this is really just re-arranging the deck chairs.
Maybe Han-Wen had something in mind, but I really don't see the point of
having it use malloc wrappers at all, as opposed to just having the
linker point it to the right "malloc".
So if it needs to be used outside of git.git it would just need the
trivial xmalloc() etc. wrappers.
next prev parent reply other threads:[~2022-04-15 13:55 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-15 7:02 [PATCH] reftable: avoid undefined behaviour breaking t0032 Carlo Marcelo Arenas Belón
2022-04-15 7:10 ` Junio C Hamano
2022-04-15 8:30 ` [PATCH v2] " Carlo Marcelo Arenas Belón
2022-04-15 10:21 ` [RFC PATCH 0/2] reftable: remove poor man's SANITIZE=address, fix a memset() bug Ævar Arnfjörð Bjarmason
2022-04-15 10:21 ` [RFC PATCH 1/2] reftable: remove the "return_block" abstraction Ævar Arnfjörð Bjarmason
2022-04-15 13:37 ` René Scharfe
2022-04-25 9:57 ` Han-Wen Nienhuys
2022-04-25 17:30 ` Junio C Hamano
2022-04-15 10:21 ` [RFC PATCH 2/2] reftable: don't memset() a NULL from failed malloc() Ævar Arnfjörð Bjarmason
2022-04-15 13:37 ` René Scharfe
2022-04-15 13:53 ` Ævar Arnfjörð Bjarmason [this message]
2022-04-15 14:30 ` Phillip Wood
2022-04-15 15:20 ` Ævar Arnfjörð Bjarmason
2022-04-15 16:23 ` Junio C Hamano
2022-04-25 10:30 ` Han-Wen Nienhuys
2022-04-25 10:18 ` [PATCH v2] reftable: avoid undefined behaviour breaking t0032 Han-Wen Nienhuys
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=220415.86fsmebgds.gmgdl@evledraar.gmail.com \
--to=avarab@gmail.com \
--cc=carenas@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=hanwen@google.com \
--cc=l.s.r@web.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).