From: Patrick Steinhardt <ps@pks.im>
To: Karthik Nayak <karthik.188@gmail.com>
Cc: gitster@pobox.com, Johannes.Schindelin@gmx.de,
git@vger.kernel.org, sandals@crustytoothpaste.net
Subject: Re: [PATCH v3] refs: fix uninitialized memory access of `max_index`
Date: Fri, 24 Jan 2025 15:46:47 +0100 [thread overview]
Message-ID: <Z5On1waE-2uwIjS2@pks.im> (raw)
In-Reply-To: <20250124140203.886324-1-karthik.188@gmail.com>
On Fri, Jan 24, 2025 at 03:02:03PM +0100, Karthik Nayak wrote:
> When migrating reflogs between reference backends, maintaining the
> original order of the reflog entries is crucial. To achieve this, an
> `index` field is stored within the `ref_update` struct.
>
> In the reftable backend, before writing any references, the writer must
> be configured with the minimum and maximum update index values. The
> `max_update_index` is derived from the maximum `ref_update.index` value
> in a transaction . The commit bc67b4ab5f (reftable: write correct
> max_update_index to header, 2025-01-15) addressed this by propagating the
> `max_update_index` value from the transaction to
> `write_transaction_table_arg` and, ultimately, to
> `reftable_writer_set_limits()`, which sets the min and max index for the
> reftable writer.
>
> However, that commit introduced an issue:
>
> - In `reftable_transaction_data`, which contains an array of
> `write_transaction_table_arg`, only the first element was assigned the
> `max_index` value.
>
> As a result, any elements beyond the first in the array contained
> uninitialized `max_index`. The writer contains multiple elements of
> `write_transaction_table_arg` to correspond to different worktrees being
> written. This uninitialized value was later used to set the
> `max_update_index` for the writer, potentially causing overflow or
> undefined behavior.
It reads a bit funny as a bulleted list with a single item, only. A
suggestion for the above:
However, we only set the update index for the first
`write_transaction_table_arg`, even though there can be multiple
such arguments. This is the case when we write to multiple stacks in
a single transaction, e.g. when updating references in two different
worktrees at once. And, if so, we wouldn't have initialized the
update index for any but the first such argument. This uninitialized
value was later used to set the `max_update_index` for the writer,
potentially causing undefined behaviour.
Other than that this is nicely described, and the fix looks reasonable,
too.
Patrick
next prev parent reply other threads:[~2025-01-24 14:46 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-13 13:56 Bug in 2.48 with `git refs migrate` brian m. carlson
2025-01-13 15:45 ` Patrick Steinhardt
2025-01-15 11:54 ` Karthik Nayak
2025-01-15 17:07 ` Junio C Hamano
2025-01-16 6:44 ` Karthik Nayak
2025-01-16 2:05 ` brian m. carlson
2025-01-16 7:29 ` Karthik Nayak
2025-01-16 23:21 ` brian m. carlson
2025-01-17 0:04 ` Junio C Hamano
2025-01-17 6:17 ` Karthik Nayak
2025-01-17 6:15 ` Karthik Nayak
2025-01-23 13:56 ` [PATCH v2] reftable: write correct max_update_index to header Karthik Nayak
2025-01-23 18:11 ` Junio C Hamano
2025-01-23 18:24 ` Junio C Hamano
2025-01-24 14:02 ` [PATCH v3] refs: fix uninitialized memory access of `max_index` Karthik Nayak
2025-01-24 14:46 ` Patrick Steinhardt [this message]
2025-01-24 15:48 ` Karthik Nayak
2025-01-27 10:20 ` Patrick Steinhardt
2025-01-27 16:24 ` Junio C Hamano
2025-01-24 4:06 ` [PATCH v2] reftable: write correct max_update_index to header Karthik Nayak
2025-01-24 15:25 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z5On1waE-2uwIjS2@pks.im \
--to=ps@pks.im \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=karthik.188@gmail.com \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).