* [PATCH] unpack_entry: invalidate newly added cache entry in case of error @ 2013-04-30 2:29 Nguyễn Thái Ngọc Duy 2013-04-30 8:27 ` Thomas Rast 0 siblings, 1 reply; 6+ messages in thread From: Nguyễn Thái Ngọc Duy @ 2013-04-30 2:29 UTC (permalink / raw) To: git; +Cc: Junio C Hamano, Thomas Rast, Nguyễn Thái Ngọc Duy In this particular code path, we add "base" to the delta base cache. Then decide to free it, but we forgot about a dangling pointer in the cache. Invalidate that entry when we free "base". Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> --- Some of my changes triggered a double free fault at "free(base);" in t5303. This looks like a correct thing to do, but I may be missing something (I'm not even sure how it happened). Please check. sha1_file.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/sha1_file.c b/sha1_file.c index 64228a2..99ead7c 100644 --- a/sha1_file.c +++ b/sha1_file.c @@ -1912,7 +1912,8 @@ void clear_delta_base_cache(void) release_delta_base_cache(&delta_base_cache[p]); } -static void add_delta_base_cache(struct packed_git *p, off_t base_offset, +static struct delta_base_cache_entry * +add_delta_base_cache(struct packed_git *p, off_t base_offset, void *base, unsigned long base_size, enum object_type type) { unsigned long hash = pack_entry_hash(p, base_offset); @@ -1947,6 +1948,7 @@ static void add_delta_base_cache(struct packed_git *p, off_t base_offset, ent->lru.prev = delta_base_cache_lru.prev; delta_base_cache_lru.prev->next = &ent->lru; delta_base_cache_lru.prev = &ent->lru; + return ent; } static void *read_object(const unsigned char *sha1, enum object_type *type, @@ -2086,12 +2088,13 @@ void *unpack_entry(struct packed_git *p, off_t obj_offset, void *delta_data; void *base = data; unsigned long delta_size, base_size = size; + struct delta_base_cache_entry *ent = NULL; int i; data = NULL; if (base) - add_delta_base_cache(p, obj_offset, base, base_size, type); + ent = add_delta_base_cache(p, obj_offset, base, base_size, type); if (!base) { /* @@ -2129,6 +2132,8 @@ void *unpack_entry(struct packed_git *p, off_t obj_offset, "at offset %"PRIuMAX" from %s", (uintmax_t)curpos, p->pack_name); free(base); + if (ent) + ent->data = NULL; data = NULL; continue; } -- 1.8.2.83.gc99314b ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] unpack_entry: invalidate newly added cache entry in case of error 2013-04-30 2:29 [PATCH] unpack_entry: invalidate newly added cache entry in case of error Nguyễn Thái Ngọc Duy @ 2013-04-30 8:27 ` Thomas Rast 2013-04-30 10:25 ` Duy Nguyen 0 siblings, 1 reply; 6+ messages in thread From: Thomas Rast @ 2013-04-30 8:27 UTC (permalink / raw) To: Nguyễn Thái Ngọc Duy; +Cc: git, Junio C Hamano, Thomas Rast Nguyễn Thái Ngọc Duy <pclouds@gmail.com> writes: > In this particular code path, we add "base" to the delta base > cache. Then decide to free it, but we forgot about a dangling pointer > in the cache. Invalidate that entry when we free "base". > > Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> > --- > Some of my changes triggered a double free fault at "free(base);" in > t5303. This looks like a correct thing to do, but I may be missing > something (I'm not even sure how it happened). Please check. Can you describe how you triggered it? I ran all of origin/pu through valgrind tests just yesterday, and it found nothing (yay!), so it doesn't seem to reproduce here? > sha1_file.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/sha1_file.c b/sha1_file.c > index 64228a2..99ead7c 100644 > --- a/sha1_file.c > +++ b/sha1_file.c > @@ -1912,7 +1912,8 @@ void clear_delta_base_cache(void) > release_delta_base_cache(&delta_base_cache[p]); > } > > -static void add_delta_base_cache(struct packed_git *p, off_t base_offset, > +static struct delta_base_cache_entry * > +add_delta_base_cache(struct packed_git *p, off_t base_offset, > void *base, unsigned long base_size, enum object_type type) > { > unsigned long hash = pack_entry_hash(p, base_offset); > @@ -1947,6 +1948,7 @@ static void add_delta_base_cache(struct packed_git *p, off_t base_offset, > ent->lru.prev = delta_base_cache_lru.prev; > delta_base_cache_lru.prev->next = &ent->lru; > delta_base_cache_lru.prev = &ent->lru; > + return ent; > } > > static void *read_object(const unsigned char *sha1, enum object_type *type, > @@ -2086,12 +2088,13 @@ void *unpack_entry(struct packed_git *p, off_t obj_offset, > void *delta_data; > void *base = data; > unsigned long delta_size, base_size = size; > + struct delta_base_cache_entry *ent = NULL; > int i; > > data = NULL; > > if (base) > - add_delta_base_cache(p, obj_offset, base, base_size, type); > + ent = add_delta_base_cache(p, obj_offset, base, base_size, type); > > if (!base) { > /* > @@ -2129,6 +2132,8 @@ void *unpack_entry(struct packed_git *p, off_t obj_offset, > "at offset %"PRIuMAX" from %s", > (uintmax_t)curpos, p->pack_name); > free(base); > + if (ent) > + ent->data = NULL; > data = NULL; > continue; > } Why not clear_delta_base_cache_entry(), which also handles updating the lru pointers? Also I wonder if removing free(base) is the right fix: since the failure is in decompressing the delta, the base might again be useful and we should keep it cached. Either way, one of those needs to be done. I think the mistake happened in my abe601b (sha1_file: remove recursion in unpack_entry, 2013-03-27). The change concerning this section was roughly: - base = cache_or_unpack_entry(p, base_offset, &base_size, type, 0); - if (!base) { [...snip error path...] - } - - delta_data = unpack_compressed_entry(p, w_curs, curpos, delta_size); - if (!delta_data) { - error("failed to unpack compressed delta " - "at offset %"PRIuMAX" from %s", - (uintmax_t)curpos, p->pack_name); - free(base); - return NULL; - } [...] - add_delta_base_cache(p, base_offset, base, base_size, *type); transforms into + if (base) + add_delta_base_cache(p, obj_offset, base, base_size, type); + + if (!base) { [...snip error path...] + } + + i = --delta_stack_nr; + obj_offset = delta_stack[i].obj_offset; + curpos = delta_stack[i].curpos; + delta_size = delta_stack[i].size; + + if (!base) + continue; + + delta_data = unpack_compressed_entry(p, &w_curs, curpos, delta_size); + + if (!delta_data) { + error("failed to unpack compressed delta " + "at offset %"PRIuMAX" from %s", + (uintmax_t)curpos, p->pack_name); + free(base); + data = NULL; + continue; + } So it's not your mistake at all. I propose this explanation for the commit message of whatever fix you make: In the !delta_data error path of unpack_entry(), we run free(base). This became a window for use-after-free() in abe601b (sha1_file: remove recursion in unpack_entry, 2013-03-27), as follows: Before abe601b, we got the 'base' from cache_or_unpack_entry(..., 0); keep_cache=0 tells it to also remove that entry. So the 'base' is at this point not cached, and freeing it in the error path is the right thing. After abe601b, the structure changed: we use a three-phase approach where phase 1 finds the innermost base or a base that is already in the cache. In phase 3 we therefore know that all bases we unpack are not part of the delta cache yet. (Observe that we pop from the cache in phase 1, so this is also true for the very first base.) So we make no further attempts to look up the bases in the cache, and just call add_delta_base_cache() on every base object we have assembled. But the !delta_data error path remained unchanged, and now calls free() on a base that has already been entered in the cache. This means that there is a use-after-free if we later use the same base again. -- Thomas Rast trast@{inf,student}.ethz.ch ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] unpack_entry: invalidate newly added cache entry in case of error 2013-04-30 8:27 ` Thomas Rast @ 2013-04-30 10:25 ` Duy Nguyen 2013-04-30 12:53 ` Thomas Rast 0 siblings, 1 reply; 6+ messages in thread From: Duy Nguyen @ 2013-04-30 10:25 UTC (permalink / raw) To: Thomas Rast; +Cc: Git Mailing List, Junio C Hamano, Thomas Rast On Tue, Apr 30, 2013 at 3:27 PM, Thomas Rast <trast@inf.ethz.ch> wrote: > Nguyễn Thái Ngọc Duy <pclouds@gmail.com> writes: > >> In this particular code path, we add "base" to the delta base >> cache. Then decide to free it, but we forgot about a dangling pointer >> in the cache. Invalidate that entry when we free "base". >> >> Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> >> --- >> Some of my changes triggered a double free fault at "free(base);" in >> t5303. This looks like a correct thing to do, but I may be missing >> something (I'm not even sure how it happened). Please check. > > Can you describe how you triggered it? > > I ran all of origin/pu through valgrind tests just yesterday, and it > found nothing (yay!), so it doesn't seem to reproduce here? Apply this patch on top of master (no need to apply full series) and run t5303 http://article.gmane.org/gmane.comp.version-control.git/222895 >> @@ -2129,6 +2132,8 @@ void *unpack_entry(struct packed_git *p, off_t obj_offset, >> "at offset %"PRIuMAX" from %s", >> (uintmax_t)curpos, p->pack_name); >> free(base); >> + if (ent) >> + ent->data = NULL; >> data = NULL; >> continue; >> } > > Why not clear_delta_base_cache_entry(), which also handles updating the > lru pointers? Simple. I didn't know about clear_de..entry(). > Also I wonder if removing free(base) is the right fix: since the failure > is in decompressing the delta, the base might again be useful and we > should keep it cached. OK since you know this code much better than me, I withdraw my patch (consider it a bug report) and let you work on a proper fix. I see you already have the commit message ready :) Happy to test it for you if the above instruction is still not reproducible for you. -- Duy ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] unpack_entry: invalidate newly added cache entry in case of error 2013-04-30 10:25 ` Duy Nguyen @ 2013-04-30 12:53 ` Thomas Rast 2013-04-30 13:01 ` Duy Nguyen 2013-04-30 22:39 ` Junio C Hamano 0 siblings, 2 replies; 6+ messages in thread From: Thomas Rast @ 2013-04-30 12:53 UTC (permalink / raw) To: Duy Nguyen; +Cc: Git Mailing List, Junio C Hamano, Thomas Rast Duy Nguyen <pclouds@gmail.com> writes: > Apply this patch on top of master (no need to apply full series) and run t5303 > > http://article.gmane.org/gmane.comp.version-control.git/222895 [...] > OK since you know this code much better than me, I withdraw my patch > (consider it a bug report) and let you work on a proper fix. I see you > already have the commit message ready :) Happy to test it for you if > the above instruction is still not reproducible for you. Ok. So I really think just dropping the free() is the way to go. Can you test this? Your series didn't apply cleanly on anything I had locally, and 'am -3' doesn't work. A simpler reproducer, and using valgrind to detect the use-after-free, didn't get me anywhere either. -- >8 -- Subject: [PATCH] unpack_entry: avoid freeing objects in base cache MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the !delta_data error path of unpack_entry(), we run free(base). This became a window for use-after-free() in abe601b (sha1_file: remove recursion in unpack_entry, 2013-03-27), as follows: Before abe601b, we got the 'base' from cache_or_unpack_entry(..., 0); keep_cache=0 tells it to also remove that entry. So the 'base' is at this point not cached, and freeing it in the error path is the right thing. After abe601b, the structure changed: we use a three-phase approach where phase 1 finds the innermost base or a base that is already in the cache. In phase 3 we therefore know that all bases we unpack are not part of the delta cache yet. (Observe that we pop from the cache in phase 1, so this is also true for the very first base.) So we make no further attempts to look up the bases in the cache, and just call add_delta_base_cache() on every base object we have assembled. But the !delta_data error path remained unchanged, and now calls free() on a base that has already been entered in the cache. This means that there is a use-after-free if we later use the same base again. So remove that free(). Reported-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> Signed-off-by: Thomas Rast <trast@inf.ethz.ch> --- sha1_file.c | 1 - 1 file changed, 1 deletion(-) diff --git a/sha1_file.c b/sha1_file.c index 64228a2..67e815b 100644 --- a/sha1_file.c +++ b/sha1_file.c @@ -2128,7 +2128,6 @@ void *unpack_entry(struct packed_git *p, off_t obj_offset, error("failed to unpack compressed delta " "at offset %"PRIuMAX" from %s", (uintmax_t)curpos, p->pack_name); - free(base); data = NULL; continue; } -- 1.8.3.rc0.333.gdb39496 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] unpack_entry: invalidate newly added cache entry in case of error 2013-04-30 12:53 ` Thomas Rast @ 2013-04-30 13:01 ` Duy Nguyen 2013-04-30 22:39 ` Junio C Hamano 1 sibling, 0 replies; 6+ messages in thread From: Duy Nguyen @ 2013-04-30 13:01 UTC (permalink / raw) To: Thomas Rast; +Cc: Git Mailing List, Junio C Hamano, Thomas Rast On Tue, Apr 30, 2013 at 7:53 PM, Thomas Rast <trast@inf.ethz.ch> wrote: > Duy Nguyen <pclouds@gmail.com> writes: > >> Apply this patch on top of master (no need to apply full series) and run t5303 >> >> http://article.gmane.org/gmane.comp.version-control.git/222895 > [...] >> OK since you know this code much better than me, I withdraw my patch >> (consider it a bug report) and let you work on a proper fix. I see you >> already have the commit message ready :) Happy to test it for you if >> the above instruction is still not reproducible for you. > > Ok. So I really think just dropping the free() is the way to go. Can > you test this? Your series didn't apply cleanly on anything I had > locally, and 'am -3' doesn't work. A simpler reproducer, and using > valgrind to detect the use-after-free, didn't get me anywhere either. Confirmed the double free is gone. I also run it under valgrind and found nothing special. > -- >8 -- > Subject: [PATCH] unpack_entry: avoid freeing objects in base cache > MIME-Version: 1.0 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: 8bit > > In the !delta_data error path of unpack_entry(), we run free(base). > This became a window for use-after-free() in abe601b (sha1_file: > remove recursion in unpack_entry, 2013-03-27), as follows: > > Before abe601b, we got the 'base' from cache_or_unpack_entry(..., 0); > keep_cache=0 tells it to also remove that entry. So the 'base' is at > this point not cached, and freeing it in the error path is the right > thing. > > After abe601b, the structure changed: we use a three-phase approach > where phase 1 finds the innermost base or a base that is already in > the cache. In phase 3 we therefore know that all bases we unpack are > not part of the delta cache yet. (Observe that we pop from the cache > in phase 1, so this is also true for the very first base.) So we make > no further attempts to look up the bases in the cache, and just call > add_delta_base_cache() on every base object we have assembled. > > But the !delta_data error path remained unchanged, and now calls > free() on a base that has already been entered in the cache. This > means that there is a use-after-free if we later use the same base > again. > > So remove that free(). > > Reported-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> > Signed-off-by: Thomas Rast <trast@inf.ethz.ch> > --- > sha1_file.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/sha1_file.c b/sha1_file.c > index 64228a2..67e815b 100644 > --- a/sha1_file.c > +++ b/sha1_file.c > @@ -2128,7 +2128,6 @@ void *unpack_entry(struct packed_git *p, off_t obj_offset, > error("failed to unpack compressed delta " > "at offset %"PRIuMAX" from %s", > (uintmax_t)curpos, p->pack_name); > - free(base); > data = NULL; > continue; > } > -- > 1.8.3.rc0.333.gdb39496 -- Duy ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] unpack_entry: invalidate newly added cache entry in case of error 2013-04-30 12:53 ` Thomas Rast 2013-04-30 13:01 ` Duy Nguyen @ 2013-04-30 22:39 ` Junio C Hamano 1 sibling, 0 replies; 6+ messages in thread From: Junio C Hamano @ 2013-04-30 22:39 UTC (permalink / raw) To: Thomas Rast; +Cc: Duy Nguyen, Git Mailing List, Thomas Rast Thomas Rast <trast@inf.ethz.ch> writes: > Duy Nguyen <pclouds@gmail.com> writes: > >> Apply this patch on top of master (no need to apply full series) and run t5303 >> >> http://article.gmane.org/gmane.comp.version-control.git/222895 > [...] >> OK since you know this code much better than me, I withdraw my patch >> (consider it a bug report) and let you work on a proper fix. I see you >> already have the commit message ready :) Happy to test it for you if >> the above instruction is still not reproducible for you. > > Ok. So I really think just dropping the free() is the way to go. Can > you test this? Your series didn't apply cleanly on anything I had > locally, and 'am -3' doesn't work. A simpler reproducer, and using > valgrind to detect the use-after-free, didn't get me anywhere either. > > -- >8 -- > Subject: [PATCH] unpack_entry: avoid freeing objects in base cache > MIME-Version: 1.0 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: 8bit I see you used "git-pu format-patch --inline-single" here, and the above is the reason why it is marked as "not ready for public consumption" ;-). > In the !delta_data error path of unpack_entry(), we run free(base). > This became a window for use-after-free() in abe601b (sha1_file: > remove recursion in unpack_entry, 2013-03-27), as follows: > > Before abe601b, we got the 'base' from cache_or_unpack_entry(..., 0); > keep_cache=0 tells it to also remove that entry. So the 'base' is at > this point not cached, and freeing it in the error path is the right > thing. > > After abe601b, the structure changed: we use a three-phase approach > where phase 1 finds the innermost base or a base that is already in > the cache. In phase 3 we therefore know that all bases we unpack are > not part of the delta cache yet. (Observe that we pop from the cache > in phase 1, so this is also true for the very first base.) So we make > no further attempts to look up the bases in the cache, and just call > add_delta_base_cache() on every base object we have assembled. > > But the !delta_data error path remained unchanged, and now calls > free() on a base that has already been entered in the cache. This > means that there is a use-after-free if we later use the same base > again. > > So remove that free(). I wish I saw "We are still going to use it, and it will be freed after we are done" or something like that after this sentence. But other than that, I think the logic is correct. > Reported-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> > Signed-off-by: Thomas Rast <trast@inf.ethz.ch> > --- > sha1_file.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/sha1_file.c b/sha1_file.c > index 64228a2..67e815b 100644 > --- a/sha1_file.c > +++ b/sha1_file.c > @@ -2128,7 +2128,6 @@ void *unpack_entry(struct packed_git *p, off_t obj_offset, > error("failed to unpack compressed delta " > "at offset %"PRIuMAX" from %s", > (uintmax_t)curpos, p->pack_name); > - free(base); > data = NULL; > continue; > } ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2013-04-30 22:39 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-04-30 2:29 [PATCH] unpack_entry: invalidate newly added cache entry in case of error Nguyễn Thái Ngọc Duy 2013-04-30 8:27 ` Thomas Rast 2013-04-30 10:25 ` Duy Nguyen 2013-04-30 12:53 ` Thomas Rast 2013-04-30 13:01 ` Duy Nguyen 2013-04-30 22:39 ` Junio C Hamano
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).