There is a potential problem with resolve_ref_unsafe() and some other functions in git. The return value returned by resolve_ref_unsafe() may be changed when the function is called again. Callers must make sure the next call won't happen as long as the value is still being used. It's usually hard to track down this kind of problem. Michael Haggerty has an idea [1] that, instead of passing the same static buffer to caller every time the function is called, we free the old buffer and allocate the new one. This way access to the old (now invalid) buffer may be caught. This patch applies the same principle for resolve_ref_unsafe() with a few modifications: - This behavior is enabled when GIT_DEBUG_MEMCHECK is set. The ability is always available. We may be able to ask users to rerun with this flag on in suspicious cases. - Rely on mmap/mprotect to catch illegal access. We need valgrind or some other memory tracking tool to reliably catch this in Michael's approach. - Because mprotect is used instead of munmap, we definitely leak memory. Hopefully callers will not put resolve_ref_unsafe() in a loop that runs 1 million times. - Save caller location in the allocated buffer so we know who made this call in the core dump. Also introduce a new target, "make memcheck", that runs tests with this flag on. [1] http://comments.gmane.org/gmane.comp.version-control.git/182209 Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@xxxxxxxxx> --- GIT_DEBUG_MEMCHECK should probably be ignored in Windows. Makefile | 3 +++ cache.h | 3 ++- git-compat-util.h | 9 +++++++++ refs.c | 14 ++++++++++++-- wrapper.c | 21 +++++++++++++++++++++ 5 files changed, 47 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index ee34eab..d671c64 100644 --- a/Makefile +++ b/Makefile @@ -2220,6 +2220,9 @@ export NO_SVN_TESTS test: all $(MAKE) -C t/ all +memcheck: all + GIT_DEBUG_MEMCHECK=1 $(MAKE) -C t/ all + test-ctype$X: ctype.o test-date$X: date.o ctype.o diff --git a/cache.h b/cache.h index 6b8ac8b..feb44a5 100644 --- a/cache.h +++ b/cache.h @@ -866,7 +866,8 @@ extern int read_ref(const char *filename, unsigned char *sha1); * * errno is sometimes set on errors, but not always. */ -extern const char *resolve_ref_unsafe(const char *ref, unsigned char *sha1, int reading, int *flag); +#define resolve_ref_unsafe(ref, sha1, reading, flag) resolve_ref_unsafe_real(ref, sha1, reading, flag, __FUNCTION__, __LINE__) +extern const char *resolve_ref_unsafe_real(const char *ref, unsigned char *sha1, int reading, int *flag, const char *file, int line); extern char *resolve_ref(const char *ref, unsigned char *sha1, int reading, int *flag); extern int dwim_ref(const char *str, int len, unsigned char *sha1, char **ref); diff --git a/git-compat-util.h b/git-compat-util.h index 5ef8ff7..d00c9c6 100644 --- a/git-compat-util.h +++ b/git-compat-util.h @@ -432,6 +432,15 @@ extern char *xstrndup(const char *str, size_t len); extern void *xrealloc(void *ptr, size_t size); extern void *xcalloc(size_t nmemb, size_t size); extern void *xmmap(void *start, size_t length, int prot, int flags, int fd, off_t offset); + +/* + * These functions are used to allocate new memory. When the memory + * area is no longer used, ban all access to it so any illegal access + * can be caught. xfree_mmap() does not really free memory. + */ +extern void *xmalloc_mmap(size_t, const char *file, int line); +extern void xfree_mmap(void *); + extern ssize_t xread(int fd, void *buf, size_t len); extern ssize_t xwrite(int fd, const void *buf, size_t len); extern int xdup(int fd); diff --git a/refs.c b/refs.c index 28496ed..62d8a37 100644 --- a/refs.c +++ b/refs.c @@ -497,12 +497,22 @@ static int get_packed_ref(const char *ref, unsigned char *sha1) return -1; } -const char *resolve_ref_unsafe(const char *ref, unsigned char *sha1, int reading, int *flag) +const char *resolve_ref_unsafe_real(const char *ref, unsigned char *sha1, + int reading, int *flag, + const char *file, int line) { int depth = MAXDEPTH; ssize_t len; char buffer[256]; - static char ref_buffer[256]; + static char real_ref_buffer[256]; + static char *ref_buffer; + + if (!ref_buffer && !getenv("GIT_DEBUG_MEMCHECK")) + ref_buffer = real_ref_buffer; + if (ref_buffer != real_ref_buffer) { + xfree_mmap(ref_buffer); + ref_buffer = xmalloc_mmap(256, file, line); + } if (flag) *flag = 0; diff --git a/wrapper.c b/wrapper.c index 85f09df..3120d97 100644 --- a/wrapper.c +++ b/wrapper.c @@ -60,6 +60,27 @@ void *xmallocz(size_t size) return ret; } +void *xmalloc_mmap(size_t size, const char *file, int line) +{ + int *ret = mmap(NULL, size + sizeof(int*) * 3, + PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, + -1, 0); + if (ret == (int*)-1) + die_errno("unable to mmap %lu bytes anonymously", + (unsigned long)size); + + ret[0] = (int)file; + ret[1] = line; + ret[2] = size; + return ret + 3; +} + +void xfree_mmap(void *p) +{ + if (p && mprotect(((int*)p) - 3, ((int*)p)[-1], PROT_NONE) == -1) + die_errno("unable to remove memory access"); +} + /* * xmemdupz() allocates (len + 1) bytes of memory, duplicates "len" bytes of * "data" to the allocated memory, zero terminates the allocated memory, -- 1.7.4.74.g639db -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html