On Tue, Jan 15 2019, Josh Steadmon wrote: > fuzz-commit-graph identified a case where Git will read past the end of > a buffer containing a commit graph if the graph's header has an > incorrect chunk count. A simple bounds check in parse_commit_graph() > prevents this. This has a 2.21 regression where the test fails on NetBSD: https://gitlab.com/git-vcs/git-ci/-/jobs/164224275 > Signed-off-by: Josh Steadmon <steadmon@xxxxxxxxxx> > --- > commit-graph.c | 14 ++++++++++++-- > t/t5318-commit-graph.sh | 16 +++++++++++++--- > 2 files changed, 25 insertions(+), 5 deletions(-) > > diff --git a/commit-graph.c b/commit-graph.c > index 07dd410f3c..836d65a1d3 100644 > --- a/commit-graph.c > +++ b/commit-graph.c > @@ -165,10 +165,20 @@ struct commit_graph *parse_commit_graph(void *graph_map, int fd, > last_chunk_offset = 8; > chunk_lookup = data + 8; > for (i = 0; i < graph->num_chunks; i++) { > - uint32_t chunk_id = get_be32(chunk_lookup + 0); > - uint64_t chunk_offset = get_be64(chunk_lookup + 4); > + uint32_t chunk_id; > + uint64_t chunk_offset; > int chunk_repeated = 0; > > + if (data + graph_size - chunk_lookup < > + GRAPH_CHUNKLOOKUP_WIDTH) { > + error(_("chunk lookup table entry missing; graph file may be incomplete")); > + free(graph); > + return NULL; > + } > + > + chunk_id = get_be32(chunk_lookup + 0); > + chunk_offset = get_be64(chunk_lookup + 4); > + > chunk_lookup += GRAPH_CHUNKLOOKUP_WIDTH; > > if (chunk_offset > graph_size - GIT_MAX_RAWSZ) { > diff --git a/t/t5318-commit-graph.sh b/t/t5318-commit-graph.sh > index 5fe21db99f..694f26079f 100755 > --- a/t/t5318-commit-graph.sh > +++ b/t/t5318-commit-graph.sh > @@ -366,9 +366,10 @@ GRAPH_OCTOPUS_DATA_OFFSET=$(($GRAPH_COMMIT_DATA_OFFSET + \ > GRAPH_BYTE_OCTOPUS=$(($GRAPH_OCTOPUS_DATA_OFFSET + 4)) > GRAPH_BYTE_FOOTER=$(($GRAPH_OCTOPUS_DATA_OFFSET + 4 * $NUM_OCTOPUS_EDGES)) > > -# usage: corrupt_graph_and_verify <position> <data> <string> > +# usage: corrupt_graph_and_verify <position> <data> <string> [<zero_pos>] > # Manipulates the commit-graph file at the position > -# by inserting the data, then runs 'git commit-graph verify' > +# by inserting the data, optionally zeroing the file > +# starting at <zero_pos>, then runs 'git commit-graph verify' > # and places the output in the file 'err'. Test 'err' for > # the given string. > corrupt_graph_and_verify() { > @@ -376,11 +377,15 @@ corrupt_graph_and_verify() { > data="${2:-\0}" > grepstr=$3 > cd "$TRASH_DIRECTORY/full" && > + orig_size=$(wc -c < $objdir/info/commit-graph) && > + zero_pos=${4:-${orig_size}} && > test_when_finished mv commit-graph-backup $objdir/info/commit-graph && > cp $objdir/info/commit-graph commit-graph-backup && > printf "$data" | dd of="$objdir/info/commit-graph" bs=1 seek="$pos" conv=notrunc && > + dd of="$objdir/info/commit-graph" bs=1 seek="$zero_pos" count=0 && > + dd if=/dev/zero of="$objdir/info/commit-graph" bs=1 seek="$zero_pos" count=$(($orig_size - $zero_pos)) && In the limited time I had to dig it starts failing at test 46, when count=0 is given. dd on NetBSD exits with 127 when given count=0 it seems. > test_must_fail git commit-graph verify 2>test_err && > - grep -v "^+" test_err >err > + grep -v "^+" test_err >err && > test_i18ngrep "$grepstr" err > } > > @@ -484,6 +489,11 @@ test_expect_success 'detect invalid checksum hash' ' > "incorrect checksum" > ' > > +test_expect_success 'detect incorrect chunk count' ' > + corrupt_graph_and_verify $GRAPH_BYTE_CHUNK_COUNT "\377" \ > + "chunk lookup table entry missing" $GRAPH_CHUNK_LOOKUP_OFFSET > +' > + Hacking around the above (e.g. "dd ... || :") makes all the failing tests pass except this new one, which I didn't dig into.
