From: Patrick Steinhardt <ps@pks.im>
To: Jeff King <peff@peff.net>
Cc: git@vger.kernel.org,
"Carlos Andrés Ramírez Cataño" <antaigroupltda@gmail.com>
Subject: Re: [PATCH 5/7] submodule: handle NULL value when parsing submodule.*.branch
Date: Thu, 7 Dec 2023 09:14:48 +0100 [thread overview]
Message-ID: <ZXF--AxCOOOjyOMc@tanuki> (raw)
In-Reply-To: <20231207071129.GE1276005@coredump.intra.peff.net>
[-- Attachment #1: Type: text/plain, Size: 1920 bytes --]
On Thu, Dec 07, 2023 at 02:11:29AM -0500, Jeff King wrote:
> We record the submodule branch config value as a string, so config that
> uses an implicit bool like:
>
> [submodule "foo"]
> branch
>
> will cause us to segfault. Note that unlike most other config-parsing
> bugs of this class, this can be triggered by parsing a bogus .gitmodules
> file (which we might do after cloning a malicious repository).
>
> I don't think the security implications are important, though. It's
> always a strict NULL dereference, not an out-of-bounds read or write. So
> we should reliably kill the process. That may be annoying, but the
> impact is limited to the attacker preventing the victim from
> successfully using "git clone --recurse-submodules", etc, on the
> malicious repo.
>
> The "branch" entry is the only one with this problem; other strings like
> "path" and "url" already check for NULL.
>
> Signed-off-by: Jeff King <peff@peff.net>
> ---
> submodule-config.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/submodule-config.c b/submodule-config.c
> index 6a48fd12f6..f4dd482abc 100644
> --- a/submodule-config.c
> +++ b/submodule-config.c
> @@ -516,7 +516,9 @@ static int parse_config(const char *var, const char *value,
> submodule->recommend_shallow =
> git_config_bool(var, value);
> } else if (!strcmp(item.buf, "branch")) {
> - if (!me->overwrite && submodule->branch)
> + if (!value)
> + ret = config_error_nonbool(var);
> + else if (!me->overwrite && submodule->branch)
> warn_multiple_config(me->treeish_name, submodule->name,
> "branch");
> else {
I was about to say that I'd rather expect us to handle this gracefully
so that Git doesn't die when parsing an invalid gitmodules file. But
there are other cases where we already fail in the same way, so this
looks good to me.
Patrick
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2023-12-07 8:14 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-07 7:10 [PATCH 0/7] fix segfaults with implicit-bool config Jeff King
2023-12-07 7:11 ` [PATCH 1/7] config: handle NULL value when parsing non-bools Jeff King
2023-12-07 8:14 ` Patrick Steinhardt
2023-12-12 0:58 ` Jeff King
2023-12-07 7:11 ` [PATCH 2/7] setup: handle NULL value when parsing extensions Jeff King
2023-12-07 7:11 ` [PATCH 3/7] trace2: handle NULL values in tr2_sysenv config callback Jeff King
2023-12-07 7:11 ` [PATCH 4/7] help: handle NULL value for alias.* config Jeff King
2023-12-07 7:11 ` [PATCH 5/7] submodule: handle NULL value when parsing submodule.*.branch Jeff King
2023-12-07 8:14 ` Patrick Steinhardt [this message]
2023-12-12 0:46 ` Jeff King
2023-12-07 7:11 ` [PATCH 6/7] trailer: handle NULL value when parsing trailer-specific config Jeff King
2023-12-07 8:14 ` Patrick Steinhardt
2023-12-07 7:11 ` [PATCH 7/7] fsck: handle NULL value when parsing message config Jeff King
2023-12-07 8:15 ` Patrick Steinhardt
2023-12-07 8:14 ` [PATCH 0/7] fix segfaults with implicit-bool config Patrick Steinhardt
2023-12-12 0:52 ` Jeff King
2023-12-12 4:10 ` Patrick Steinhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZXF--AxCOOOjyOMc@tanuki \
--to=ps@pks.im \
--cc=antaigroupltda@gmail.com \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).