From: Patrick Steinhardt <ps@pks.im>
To: Christian Couder <christian.couder@gmail.com>
Cc: git@vger.kernel.org, oxsignal <awo@kakao.com>
Subject: Re: [PATCH 05/11] reftable/block: fix OOB write with bogus inflated log size
Date: Mon, 29 Jun 2026 09:08:32 +0200 [thread overview]
Message-ID: <akIZ8F05W5Lx63f2@pks.im> (raw)
In-Reply-To: <CAP8UFD0y0GVjdnWYDkOsk6R9-ReGfzr6ZEm8PbyHOHrdAETXzg@mail.gmail.com>
On Fri, Jun 26, 2026 at 09:48:36AM +0200, Christian Couder wrote:
> On Wed, Jun 24, 2026 at 10:24 AM Patrick Steinhardt <ps@pks.im> wrote:
>
> > diff --git a/t/unit-tests/u-reftable-block.c b/t/unit-tests/u-reftable-block.c
> > index f4bded7d26..40274af5c0 100644
> > --- a/t/unit-tests/u-reftable-block.c
> > +++ b/t/unit-tests/u-reftable-block.c
> > @@ -456,3 +456,47 @@ void test_reftable_block__iterator(void)
> > block_writer_release(&writer);
> > reftable_buf_release(&data);
> > }
> > +
> > +void test_reftable_block__corrupt_log_block_size(void)
> > +{
> > + struct reftable_block_source source = { 0 };
> > + struct block_writer writer = {
> > + .last_key = REFTABLE_BUF_INIT,
> > + };
> > + struct reftable_record rec = {
> > + .type = REFTABLE_BLOCK_TYPE_LOG,
> > + .u.log = {
> > + .refname = (char *) "refs/heads/main",
> > + .update_index = 1,
> > + .value_type = REFTABLE_LOG_UPDATE,
> > + },
> > + };
> > + struct reftable_block block = { 0 };
> > + struct reftable_buf data;
> > +
> > + data.len = 1024;
> > + REFTABLE_CALLOC_ARRAY(data.buf, data.len);
> > + cl_assert(data.buf != NULL);
> > +
> > + cl_must_pass(block_writer_init(&writer, REFTABLE_BLOCK_TYPE_LOG,
> > + (uint8_t *) data.buf, data.len,
> > + 0, hash_size(REFTABLE_HASH_SHA1)));
> > + cl_must_pass(block_writer_add(&writer, &rec));
> > + cl_assert(block_writer_finish(&writer) > 0);
>
> It looks like some of the block writing code above could be simplified
> using an helper function like:
>
> int cl_reftable_write_block(struct reftable_buf *buf, uint8_t block_type,
> size_t block_size, uint32_t header_off,
> struct reftable_record *recs, size_t nrecs)
> {
> struct block_writer writer = {
> .last_key = REFTABLE_BUF_INIT,
> };
> int block_end;
>
> REFTABLE_CALLOC_ARRAY(buf->buf, block_size);
> cl_assert(buf->buf != NULL);
> buf->len = block_size;
>
> cl_must_pass(block_writer_init(&writer, block_type, (uint8_t *) buf->buf,
> block_size, header_off,
> hash_size(REFTABLE_HASH_SHA1)));
> for (size_t i = 0; i < nrecs; i++)
> cl_must_pass(block_writer_add(&writer, &recs[i]));
>
> block_end = block_writer_finish(&writer);
> cl_assert(block_end > 0);
>
> block_writer_release(&writer);
>
> return block_end;
> }
>
> This function could be introduced by a preparatory commit in
> t/unit-tests/lib-reftable.{c,h}. It would be kind of similar to the
> existing cl_reftable_write_to_buf() helper in those files.
>
> It looks like it could already simplify existing tests like:
>
> - test_reftable_block__log_read_write
> - test_reftable_block__obj_read_write
> - test_reftable_block__ref_read_write
> - test_reftable_block__iterator
>
> and it could simplify the new tests introduced by other patches in this series:
>
> - 06/11 reftable/block: fix OOB read with bogus block size
> - 07/11 reftable/block: fix OOB read with bogus restart count
> - 09/11 reftable/block: fix OOB read with bogus restart offset
Good point, will do. Thanks!
Patrick
next prev parent reply other threads:[~2026-06-29 7:08 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-24 8:23 [PATCH 00/11] reftable: harden against corrupted tables Patrick Steinhardt
2026-06-24 8:23 ` [PATCH 01/11] meson: support building fuzzers with libFuzzer Patrick Steinhardt
2026-06-24 8:23 ` [PATCH 02/11] oss-fuzz: add fuzzer for parsing reftables Patrick Steinhardt
2026-06-24 8:23 ` [PATCH 03/11] reftable/basics: fix OOB read on binary search of empty range Patrick Steinhardt
2026-06-24 8:23 ` [PATCH 04/11] reftable/record: don't abort when decoding invalid ref value type Patrick Steinhardt
2026-06-24 8:23 ` [PATCH 05/11] reftable/block: fix OOB write with bogus inflated log size Patrick Steinhardt
2026-06-26 7:48 ` Christian Couder
2026-06-29 7:08 ` Patrick Steinhardt [this message]
2026-06-24 8:23 ` [PATCH 06/11] reftable/block: fix OOB read with bogus block size Patrick Steinhardt
2026-06-24 8:23 ` [PATCH 07/11] reftable/block: fix OOB read with bogus restart count Patrick Steinhardt
2026-06-24 8:23 ` [PATCH 08/11] reftable/block: fix use of uninitialized memory when binsearch fails Patrick Steinhardt
2026-06-24 8:23 ` [PATCH 09/11] reftable/block: fix OOB read with bogus restart offset Patrick Steinhardt
2026-06-24 8:23 ` [PATCH 10/11] reftable/table: fix NULL pointer access when seeking to bogus offsets Patrick Steinhardt
2026-06-24 8:23 ` [PATCH 11/11] reftable/table: fix OOB read on truncated table Patrick Steinhardt
2026-06-29 9:02 ` [PATCH v2 00/12] reftable: harden against corrupted tables Patrick Steinhardt
2026-06-29 9:02 ` [PATCH v2 01/12] meson: support building fuzzers with libFuzzer Patrick Steinhardt
2026-06-29 9:02 ` [PATCH v2 02/12] oss-fuzz: add fuzzer for parsing reftables Patrick Steinhardt
2026-06-29 9:02 ` [PATCH v2 03/12] reftable/basics: fix OOB read on binary search of empty range Patrick Steinhardt
2026-06-29 9:02 ` [PATCH v2 04/12] reftable/record: don't abort when decoding invalid ref value type Patrick Steinhardt
2026-06-29 9:02 ` [PATCH v2 05/12] t/unit-tests: introduce test helper to write reftable blocks Patrick Steinhardt
2026-06-29 9:02 ` [PATCH v2 06/12] reftable/block: fix OOB write with bogus inflated log size Patrick Steinhardt
2026-06-29 9:02 ` [PATCH v2 07/12] reftable/block: fix OOB read with bogus block size Patrick Steinhardt
2026-06-29 9:02 ` [PATCH v2 08/12] reftable/block: fix OOB read with bogus restart count Patrick Steinhardt
2026-06-29 9:02 ` [PATCH v2 09/12] reftable/block: fix use of uninitialized memory when binsearch fails Patrick Steinhardt
2026-06-29 9:02 ` [PATCH v2 10/12] reftable/block: fix OOB read with bogus restart offset Patrick Steinhardt
2026-06-29 9:02 ` [PATCH v2 11/12] reftable/table: fix NULL pointer access when seeking to bogus offsets Patrick Steinhardt
2026-06-29 9:02 ` [PATCH v2 12/12] reftable/table: fix OOB read on truncated table Patrick Steinhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=akIZ8F05W5Lx63f2@pks.im \
--to=ps@pks.im \
--cc=awo@kakao.com \
--cc=christian.couder@gmail.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox