New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dir: fix malloc of root untracked_cache_dir #884
dir: fix malloc of root untracked_cache_dir #884
Conversation
dir.c
Outdated
@@ -2731,7 +2731,7 @@ static struct untracked_cache_dir *validate_untracked_cache(struct dir_struct *d | |||
} | |||
|
|||
if (!dir->untracked->root) { | |||
const int len = sizeof(*dir->untracked->root); | |||
const int len = st_add(sizeof(*dir->untracked->root), 1); | |||
dir->untracked->root = xmalloc(len); | |||
memset(dir->untracked->root, 0, len); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the intent here is that the name
flex-array would be the empty string (your "account for the flex array" confused me for a moment; I think the issue is that the array is supposed to be a NUL-terminated string, so we are really accounting for that).
So I think your "extend the memset
" in the commit message is also "extend the malloc
". We need a place to put that NUL byte (and what the patch is doing here is correct).
I'm likewise curious that this would show up on Windows and not elsewhere. It would be a non-problem on any system that defines FLEX_ARRAY
to 1. But most compilers (especially modern Unix ones like gcc or clang) use the empty string, so I'd expect them to be vulnerable to the bug.
I do think this whole thing could be written as:
FLEX_ALLOC_STR(dir->untracked->root, name, "");
That IMHO shows the intent more clearly, as well as getting rid of the manual computation (which is the reason I added those macros in the first place; I didn't catch this in my audits because it erroneously wasn't doing any computation in the first place!). It also avoids the use of int
for storing a computed length (it's OK here because we know the name field is the empty string, but it would be likely to come up in a grep-based audit).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I was hoping there was a better way to write that. (I must admit that after several hours of wandering aimlessly thru the debugger and finally finding the problem, I didn't think to look for a FLEX_ macro to do it better.)
Before |
Use FLEX_ALLOC_STR() to allocate the `struct untracked_cache_dir` for the root directory. Get rid of unsafe code that might fail to initialize the `name` field (if FLEX_ARRAY is not 1). This will make it clear that we intend to have a structure with an empty string following it. A problem was observed on Windows where the length of the memset() was too short, so the first byte of the name field was not zeroed. This resulted in the name field having garbage from a previous use of that area of memory. The record for the root directory was then written to the untracked-cache extension in the index. This garbage would then be visible to future commands when they reloaded the untracked-cache extension. Since the directory record for the root directory had garbage in the `name` field, the `t/helper/test-tool dump-untracked-cache` tool printed this garbage as the path prefix (rather than '/') for each directory in the untracked cache as it recursed. Signed-off-by: Jeff Hostetler <jeffhost@microsoft.com>
a1bca7b
to
931e131
Compare
/submit |
Submitted as pull.884.git.1614177117508.gitgitgadget@gmail.com To fetch this version into
To fetch this version to local tag
|
On the Git mailing list, Taylor Blau wrote (reply to this):
|
User |
On the Git mailing list, Junio C Hamano wrote (reply to this):
|
On the Git mailing list, Jeff King wrote (reply to this):
|
User |
On the Git mailing list, Jeff Hostetler wrote (reply to this):
|
User |
On the Git mailing list, Jeff King wrote (reply to this):
|
This branch is now known as |
This patch series was integrated into seen via git@ed3bf13. |
This patch series was integrated into seen via git@23cc612. |
This patch series was integrated into seen via git@d975fa7. |
This patch series was integrated into next via git@79d1e40. |
This patch series was integrated into seen via git@24f544c. |
This patch series was integrated into seen via git@9889cff. |
This patch series was integrated into next via git@9889cff. |
This patch series was integrated into master via git@9889cff. |
Closed via 9889cff. |
cc: Taylor Blau me@ttaylorr.com
cc: Jeff King peff@peff.net
cc: Jeff Hostetler git@jeffhostetler.com