[PATCH] commit-reach: avoid NULL dereference

[PATCH] commit-reach: avoid NULL dereference

[Eric Wong]

The loop at the top of can_all_from_reach_with_flag() already
accounts for `from->objects[i].item' being NULL, so it follows
the cleanup loop should also account for a NULL `from_one'.

I managed to segfault here on one of my giant, many-remote repos
using `git fetch --negotiation-tip=...  --negotiation-only'
where the --negotiation-tip= argument was a glob which (inadvertently)
captured more refs than I wanted.  I have not reproduced this
in a standalone test case.

Signed-off-by: Eric Wong <e@80x24.org>
---
 Not sure if somebody who understands the code better can come
 up with a good standalone test case.  I figure using the top
 loop as reference is sufficient evidence that this fix is needed.

 commit-reach.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/commit-reach.c b/commit-reach.c
index 2e33c599a82..1d7056338b7 100644
--- a/commit-reach.c
+++ b/commit-reach.c
@@ -807,8 +807,12 @@ int can_all_from_reach_with_flag(struct object_array *from,
 	clear_commit_marks_many(nr_commits, list, RESULT | assign_flag);
 	free(list);
 
-	for (i = 0; i < from->nr; i++)
-		from->objects[i].item->flags &= ~assign_flag;
+	for (i = 0; i < from->nr; i++) {
+		struct object *from_one = from->objects[i].item;
+
+		if (from_one)
+			from_one->flags &= ~assign_flag;
+	}
 
 	return result;
 }

Re: [PATCH] commit-reach: avoid NULL dereference

[Junio C Hamano]

Eric Wong <e@80x24.org> writes:

>  Not sure if somebody who understands the code better can come
>  up with a good standalone test case.  I figure using the top
>  loop as reference is sufficient evidence that this fix is needed.

Good comment.

>  commit-reach.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/commit-reach.c b/commit-reach.c
> index 2e33c599a82..1d7056338b7 100644
> --- a/commit-reach.c
> +++ b/commit-reach.c
> @@ -807,8 +807,12 @@ int can_all_from_reach_with_flag(struct object_array *from,
>  	clear_commit_marks_many(nr_commits, list, RESULT | assign_flag);
>  	free(list);
>  
> -	for (i = 0; i < from->nr; i++)
> -		from->objects[i].item->flags &= ~assign_flag;
> +	for (i = 0; i < from->nr; i++) {
> +		struct object *from_one = from->objects[i].item;
> +
> +		if (from_one)
> +			from_one->flags &= ~assign_flag;
> +	}

The flag clearing rule of this function smells somewhat iffy.  There
are three primary callers of the function:

 * commit-reach.c::can_all_from_reach() calls the function, but it
   has its own loop to clear the flag it asked the function to add.
   If the function uses the flag as a temporary mark and is designed
   to clear it from all the objects, as 4067a646 (commit-reach: fix
   memory and flag leaks, 2018-09-21) states, why should the caller
   have a separate loop to clear them?

 * fetch-pack.c::negotiate_using_fetch() calls this function in a
   loop, so it does depend on it to clear the flag upon returning.

 * upload-pack.c::ok_to_give_up() is a thin wrapper around this
   function and none callers of it have any logic to clear flag, so
   it clearly depends on the function to clear the flag.

The above seems to indicate that the expectation by callers is a bit
uneven.  Shouldn't the first onetrust the callee to clear the flag?

Even before 4067a646 (commit-reach: fix memory and flag leaks,
2018-09-21), the function had a call to clear_commit_marks() to
clear two bits it used temporarily.  The reason why 4067a646 needed
to add this additional flag clearing, whose NULL-dereference bug is
being fixed with the patch in this thread, is because it marks any
incoming object that peels to a non-commit (e.g. a blob, a tree, or
a tag that points at a non-commit) with the flag bit, but such a
non-commit object is not added to the list[] of commits to be
processed, before the main processing of this function.

		from_one = deref_tag(the_repository, from_one,
				     "a from object", 0);
		if (!from_one || from_one->type != OBJ_COMMIT) {
			/*
			 * no way to tell if this is reachable by
			 * looking at the ancestry chain alone, so
			 * leave a note to ourselves not to worry about
			 * this object anymore.
			 */
			from->objects[i].item->flags |= assign_flag;
			continue;
		}

		list[nr_commits] = (struct commit *)from_one;

But I am not sure if it is even necessary to smudge the flag for the
object that was a non-commit (or the tag that peeled down to a
non-commit).  The main process of this function is a history
traversal that stops when the "assign_flag" bit is already set on
the found object, but the object that was part of the incoming
objects (i.e. in from->objects[] array) that turned out not to be a
non-commit would not be discovered during this history walk, would
it?  In other words, if we walk from list[] that is an array or
commits to the parents (but not its trees and blobs), we won't
encounter anything but commit.  What does it help to smudge an
object that peeled down to a non-commit in the incoming set of
objects, if it would not appear in the walk from list[]?  It would
not stop the traversal by having the flag.

So I wonder if we can just stop smudging the assign_flag bit for
these objects in from->objects[] that do not make it into list[]
as a simpler fix?  Wouldn't that make the follow-up cleaning loop
added by 4067a646 (commit-reach: fix memory and flag leaks,
2018-09-21) unneeded?

Re: [PATCH] commit-reach: avoid NULL dereference

[Derrick Stolee]

On 2/11/2023 5:43 PM, Junio C Hamano wrote:
> Eric Wong <e@80x24.org> writes:

>> -	for (i = 0; i < from->nr; i++)
>> -		from->objects[i].item->flags &= ~assign_flag;
>> +	for (i = 0; i < from->nr; i++) {
>> +		struct object *from_one = from->objects[i].item;
>> +
>> +		if (from_one)
>> +			from_one->flags &= ~assign_flag;
>> +	}

This looks like a completely safe change to make, so this
patch is good to go.

> The flag clearing rule of this function smells somewhat iffy.  There
> are three primary callers of the function:
> 
>  * commit-reach.c::can_all_from_reach() calls the function, but it
>    has its own loop to clear the flag it asked the function to add.
>    If the function uses the flag as a temporary mark and is designed
>    to clear it from all the objects, as 4067a646 (commit-reach: fix
>    memory and flag leaks, 2018-09-21) states, why should the caller
>    have a separate loop to clear them?

...

> The above seems to indicate that the expectation by callers is a bit
> uneven.  Shouldn't the first onetrust the callee to clear the flag?

Yes, that makes sense. (But there's more!)
 
> Even before 4067a646 (commit-reach: fix memory and flag leaks,
> 2018-09-21), the function had a call to clear_commit_marks() to
> clear two bits it used temporarily.  The reason why 4067a646 needed
> to add this additional flag clearing, whose NULL-dereference bug is
> being fixed with the patch in this thread, is because it marks any
> incoming object that peels to a non-commit (e.g. a blob, a tree, or
> a tag that points at a non-commit) with the flag bit, but such a
> non-commit object is not added to the list[] of commits to be
> processed, before the main processing of this function.
> 
> 		from_one = deref_tag(the_repository, from_one,
> 				     "a from object", 0);
> 		if (!from_one || from_one->type != OBJ_COMMIT) {
> 			/*
> 			 * no way to tell if this is reachable by
> 			 * looking at the ancestry chain alone, so
> 			 * leave a note to ourselves not to worry about
> 			 * this object anymore.
> 			 */
> 			from->objects[i].item->flags |= assign_flag;
> 			continue;
> 		}
> 
> 		list[nr_commits] = (struct commit *)from_one;
> 
> But I am not sure if it is even necessary to smudge the flag for the
> object that was a non-commit (or the tag that peeled down to a
> non-commit).  The main process of this function is a history
> traversal that stops when the "assign_flag" bit is already set on
> the found object, but the object that was part of the incoming
> objects (i.e. in from->objects[] array) that turned out not to be a
> non-commit would not be discovered during this history walk, would
> it?  In other words, if we walk from list[] that is an array or
> commits to the parents (but not its trees and blobs), we won't
> encounter anything but commit.  What does it help to smudge an
> object that peeled down to a non-commit in the incoming set of
> objects, if it would not appear in the walk from list[]?  It would
> not stop the traversal by having the flag.
> 
> So I wonder if we can just stop smudging the assign_flag bit for
> these objects in from->objects[] that do not make it into list[]
> as a simpler fix?  Wouldn't that make the follow-up cleaning loop
> added by 4067a646 (commit-reach: fix memory and flag leaks,
> 2018-09-21) unneeded?

Thanks for digging into the details here. I agree that this extra
assignment of the flag to these non-commit objects is unnecessary
since we intend to clear them by the end of the method and don't
do anything with the flags otherwise.

What you seem to be suggesting is this diff:

diff --git a/commit-reach.c b/commit-reach.c
index 2e33c599a82..8c387911228 100644
--- a/commit-reach.c
+++ b/commit-reach.c
@@ -740,10 +740,8 @@ int can_all_from_reach_with_flag(struct object_array *from,
 			/*
 			 * no way to tell if this is reachable by
 			 * looking at the ancestry chain alone, so
-			 * leave a note to ourselves not to worry about
-			 * this object anymore.
+			 * skip it.
 			 */
-			from->objects[i].item->flags |= assign_flag;
 			continue;
 		}
 
@@ -856,17 +854,6 @@ int can_all_from_reach(struct commit_list *from, struct commit_list *to,
 
 	result = can_all_from_reach_with_flag(&from_objs, PARENT2, PARENT1,
 					      min_commit_date, min_generation);
-
-	while (from) {
-		clear_commit_marks(from->item, PARENT1);
-		from = from->next;
-	}
-
-	while (to) {
-		clear_commit_marks(to->item, PARENT2);
-		to = to->next;
-	}
-
 	object_array_clear(&from_objs);
 	return result;
 }

And instead of the current patch, this should allow the
following diff hunk instead:

@@ -807,9 +805,6 @@ int can_all_from_reach_with_flag(struct object_array *from,
 	clear_commit_marks_many(nr_commits, list, RESULT | assign_flag);
 	free(list);
 
-	for (i = 0; i < from->nr; i++)
-		from->objects[i].item->flags &= ~assign_flag;
-
 	return result;
 }

This avoids the need for the NULL check, since we are skipping the
entire loop. The clear_commit_marks_many() is sufficient. 

Thanks,
-Stolee

Re: [PATCH] commit-reach: avoid NULL dereference

[Junio C Hamano]

Derrick Stolee <derrickstolee@github.com> writes:

>> The above seems to indicate that the expectation by callers is a bit
>> uneven.  Shouldn't the first onetrust the callee to clear the flag?
>
> Yes, that makes sense. (But there's more!)
> ...
> Thanks for digging into the details here. I agree that this extra
> assignment of the flag to these non-commit objects is unnecessary
> since we intend to clear them by the end of the method and don't
> do anything with the flags otherwise.
>
> What you seem to be suggesting is this diff:
>
> diff --git a/commit-reach.c b/commit-reach.c
> index 2e33c599a82..8c387911228 100644
> --- a/commit-reach.c
> +++ b/commit-reach.c
> @@ -740,10 +740,8 @@ int can_all_from_reach_with_flag(struct object_array *from,
>  			/*
>  			 * no way to tell if this is reachable by
>  			 * looking at the ancestry chain alone, so
> -			 * leave a note to ourselves not to worry about
> -			 * this object anymore.
> +			 * skip it.
>  			 */
> -			from->objects[i].item->flags |= assign_flag;
>  			continue;
>  		}

Agreed with this part.

> @@ -856,17 +854,6 @@ int can_all_from_reach(struct commit_list *from, struct commit_list *to,
>  
>  	result = can_all_from_reach_with_flag(&from_objs, PARENT2, PARENT1,
>  					      min_commit_date, min_generation);
> -
> -	while (from) {
> -		clear_commit_marks(from->item, PARENT1);
> -		from = from->next;
> -	}

This too.

> -	while (to) {
> -		clear_commit_marks(to->item, PARENT2);
> -		to = to->next;
> -	}

But I didn't think this is redundant.  PARENT2 is used to mark "to"
commits by this function, not the callee, before making the call.
The callee may clear PARENT1 used to mark the ones visited by the
traversal starting from the "from" commits, but does not do anything
to "with_flag", does it?

>  	object_array_clear(&from_objs);
>  	return result;
>  }
>
> And instead of the current patch, this should allow the
> following diff hunk instead:
>
> @@ -807,9 +805,6 @@ int can_all_from_reach_with_flag(struct object_array *from,
>  	clear_commit_marks_many(nr_commits, list, RESULT | assign_flag);
>  	free(list);
>  
> -	for (i = 0; i < from->nr; i++)
> -		from->objects[i].item->flags &= ~assign_flag;
> -
>  	return result;
>  }
>
> This avoids the need for the NULL check, since we are skipping the
> entire loop. The clear_commit_marks_many() is sufficient. 

Yeah, that was my reading based on very limited and sufrace level of
understanding of what this function was doing, although I think my
understanding of it is still very skimpy (if I understand it well
enough, I would give it a bit more understandable name but I cannot
come up with one yet).

Thanks.