From: Dima Tisnek <dimaqq@gmail.com>
To: git@vger.kernel.org
Subject: Unitialised pointer free in is_crontab_available
Date: Thu, 17 Oct 2024 15:48:30 +0900 [thread overview]
Message-ID: <CAGGBzXLN6eFZmgEE=KBp9vbcgYGGEbDJDUrfyVeYjuCrRiYcXA@mail.gmail.com> (raw)
Here's the code:
static int is_crontab_available(void)
{
char *cmd;
int is_available;
int ret;
if (get_schedule_cmd("crontab", &is_available, &cmd)) {
ret = is_available;
goto out;
}
#ifdef __APPLE__
/*
* macOS has cron, but it requires special permissions and will
* create a UI alert when attempting to run this command.
*/
ret = 0;
#else
ret = check_crontab_process(cmd);
#endif
out:
free(cmd);
return ret;
}
This code will try to `free(cmd)` even if get_schedule_cmd returned 0,
when it's safe to assume that &cmd was not allocated.
static int get_schedule_cmd(const char *cmd, int *is_available, char **out)
{
char *testing = xstrdup_or_null(getenv("GIT_TEST_MAINT_SCHEDULER"));
struct string_list_item *item;
struct string_list list = STRING_LIST_INIT_NODUP;
if (!testing)
return 0;
[rest snipped]
If I read this right, as long as the special env var is not set, this
function returns 0 and does not populate *out.
Reproduce:
run `git maintenance start` on a mac in some git repo
Tested with:
macos Darwin 24.0.0
arm64
homebrew git 2.47.0
c/cpython (main)> lldb (which git)
(lldb) target create "/opt/homebrew/bin/git"
Current executable set to '/opt/homebrew/bin/git' (arm64).
(lldb) b malloc_error_break
Breakpoint 1: where = libsystem_malloc.dylib`malloc_error_break,
address = 0x00000001802861bc
(lldb) run maintenance start
Process 35052 launched: '/opt/homebrew/bin/git' (arm64)
git(35052,0x1ec22b240) malloc: *** error for object 0x1: pointer being
freed was not allocated
git(35052,0x1ec22b240) malloc: *** set a breakpoint in
malloc_error_break to debug
Process 35052 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x00000001879221bc libsystem_malloc.dylib`malloc_error_break
libsystem_malloc.dylib`malloc_error_break:
-> 0x1879221bc <+0>: pacibsp
0x1879221c0 <+4>: stp x29, x30, [sp, #-0x10]!
0x1879221c4 <+8>: mov x29, sp
0x1879221c8 <+12>: nop
Target 0: (git) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
* frame #0: 0x00000001879221bc libsystem_malloc.dylib`malloc_error_break
frame #1: 0x00000001879015e8 libsystem_malloc.dylib`malloc_vreport + 748
frame #2: 0x000000018790523c libsystem_malloc.dylib`malloc_report + 64
frame #3: 0x000000018792326c libsystem_malloc.dylib`find_zone_and_free + 528
frame #4: 0x000000010004fa78 git`is_crontab_available + 56
frame #5: 0x000000010004f974 git`update_background_schedule + 168
frame #6: 0x000000010004e1dc git`maintenance_start + 248
frame #7: 0x000000010004d9b4 git`cmd_maintenance + 336
frame #8: 0x0000000100005678 git`run_builtin + 396
frame #9: 0x0000000100004b48 git`handle_builtin + 324
frame #10: 0x00000001000043c0 git`cmd_main + 788
frame #11: 0x00000001000c141c git`main + 236
frame #12: 0x0000000187768274 dyld`start + 2840
(lldb) frame select 4
frame #4: 0x000000010004fa78 git`is_crontab_available + 56
git`is_crontab_available:
-> 0x10004fa78 <+56>: mov x0, x19
0x10004fa7c <+60>: ldp x29, x30, [sp, #0x20]
0x10004fa80 <+64>: ldp x20, x19, [sp, #0x10]
0x10004fa84 <+68>: add sp, sp, #0x30
(lldb) disassemble -n is_crontab_available
git`is_crontab_available:
0x10004fa40 <+0>: sub sp, sp, #0x30
0x10004fa44 <+4>: stp x20, x19, [sp, #0x10]
0x10004fa48 <+8>: stp x29, x30, [sp, #0x20]
0x10004fa4c <+12>: add x29, sp, #0x20
0x10004fa50 <+16>: adrp x0, 535
0x10004fa54 <+20>: add x0, x0, #0x3f ; "crontab"
0x10004fa58 <+24>: add x1, sp, #0x4
0x10004fa5c <+28>: add x2, sp, #0x8
0x10004fa60 <+32>: bl 0x100050300 ; get_schedule_cmd
0x10004fa64 <+36>: ldr w8, [sp, #0x4]
0x10004fa68 <+40>: cmp w0, #0x0
0x10004fa6c <+44>: csel w19, wzr, w8, eq
0x10004fa70 <+48>: ldr x0, [sp, #0x8]
0x10004fa74 <+52>: bl 0x100249170 ; symbol stub for: free
-> 0x10004fa78 <+56>: mov x0, x19
0x10004fa7c <+60>: ldp x29, x30, [sp, #0x20]
0x10004fa80 <+64>: ldp x20, x19, [sp, #0x10]
0x10004fa84 <+68>: add sp, sp, #0x30
0x10004fa88 <+72>: ret
next reply other threads:[~2024-10-17 6:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-17 6:48 Dima Tisnek [this message]
2024-10-17 6:57 ` Unitialised pointer free in is_crontab_available Eric Sunshine
2024-10-17 8:38 ` Kristoffer Haugsbakk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGGBzXLN6eFZmgEE=KBp9vbcgYGGEbDJDUrfyVeYjuCrRiYcXA@mail.gmail.com' \
--to=dimaqq@gmail.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).