From: Junio C Hamano <gitster@pobox.com>
To: Taylor Blau <me@ttaylorr.com>
Cc: git@vger.kernel.org, "Jeff King" <peff@peff.net>,
"Patrick Steinhardt" <ps@pks.im>,
"Carlos Andrés Ramírez Cataño" <antaigroupltda@gmail.com>
Subject: Re: [PATCH] object-name: reject too-deep recursive ancestor queries
Date: Tue, 21 Nov 2023 02:14:18 +0900 [thread overview]
Message-ID: <xmqqjzqcl53p.fsf@gitster.g> (raw)
In-Reply-To: <57c0b30ddfe7c0ae78069682ff8454791e54469f.1700496801.git.me@ttaylorr.com> (Taylor Blau's message of "Mon, 20 Nov 2023 11:13:45 -0500")
Taylor Blau <me@ttaylorr.com> writes:
> Since this is a local-only exploit, a user would have to be tricked into
> running such a query by an adversary. Even if they were successfully
> tricked into running the malicious query, the blast radius is limited to
> a local stack overflow, which does not have meaningful paths to remote
> code execution, arbitrary memory reads, or any more grave security
> concerns.
> ...
So the difference in practice is if we make a controlled call to
die() or just let it crash? It still does sound worthwhile thing to
do to make sure we make a controlled death. But ...
> +static int get_nth_ancestor_max_depth = 4096;
> +static int get_nth_ancestor_curr_depth;
... do we have a lock at a much higher level that prevents multiple
name-to-oid look-ups from running simultaneously, or something
similar, to make use of this static counter safe? I am not offhand
sure how safe it is to assume that we'd always be single-threaded.
This variable leaves a bad taste in my mouth.
I am not offhand sure how hard it is to count the depth per
callpath; get_oid_1() is the sole caller of get_nth_ancestor(), so
if you rename the former into a separate helper with a new
"recursion_depth" parameter, create a thin wrapper around it that
starts the recursion at depth 0 and have everybody else (i.e.,
peel_onion() and get_oid_with_context_1()) call it, and have
get_nth_ancestor increment (and die as needed) the counter, would
that be sufficient to ensure that we count the depth per call
invocation?
Thanks.
next prev parent reply other threads:[~2023-11-20 17:14 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-20 16:13 [PATCH] object-name: reject too-deep recursive ancestor queries Taylor Blau
2023-11-20 17:14 ` Junio C Hamano [this message]
2023-11-23 13:53 ` Patrick Steinhardt
2023-11-24 9:44 ` Junio C Hamano
2023-11-24 10:11 ` Patrick Steinhardt
2023-12-06 19:40 ` Jeff King
2023-12-07 6:52 ` Patrick Steinhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqjzqcl53p.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=antaigroupltda@gmail.com \
--cc=git@vger.kernel.org \
--cc=me@ttaylorr.com \
--cc=peff@peff.net \
--cc=ps@pks.im \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).