On 16/02/18 14:55, Adam Dinwoodie wrote:
> On 12 February 2018 at 08:08, Olga Telezhnaya wrote:
>> Add some tests for new formatting atoms from ref-filter.
>> Some of new atoms are supported automatically,
>> some of them are expanded into empty string
>> (because they are useless for some types of objects),
>> some of them could be supported later in other patches.
>
> This commit appears to be introducing failures in t1006 on Cygwin.
> Specifically, tests 15, 36, 58 and 89, all titled "Check %(refname)
> gives empty output", are failing on the pu branch at 21937aad4, and
> git bisect identifies this commit, 3c1571744 ("cat-file: tests for new
> atoms added", 2018-02-12), as the culprit.
Hi Adam, Olga,
Sparse has been complaining about this 'ot/cat-batch-format' branch for
a while, so I had already noted (apart from a symbol which should be
marked as static) something that looked somewhat off - namely, the on
stack initialisation of a 'struct ref_array_item' (builtin/cat-file.c,
line 246, in function batch_object_write()).
In particular, the 'struct ref_array_item' ends with a [FLEX_ARRAY] field
for the refname, so it clearly isn't meant to be declared on the stack.
The 'ref-filter' code uses a 'constructor' function called 'new_ref_array_\
item() which, among others, takes a 'refname' parameter with which to
initialise the refname FLEX_ARRAY field.
So, on Linux, if you build with SANITIZE=address and then run that test:
$ ./t1006-cat-file.sh -i -v
Initialized empty Git repository in /home/ramsay/git/t/trash
directory.t1006-cat-file/.git/
expecting success:
echo_without_newline "$hello_content" > hello &&
git update-index --add hello
ok 1 - setup
...
=================================================================
==12556==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff132f04a8 at pc 0x7f1c1b3ca20b bp 0x7fff132f00f0 sp 0x7fff132ef898
READ of size 4 at 0x7fff132f04a8 thread T0
#0 0x7f1c1b3ca20a in __interceptor_strlen
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7020a)
#1 0x6798cc in strbuf_addstr /home/ramsay/git/strbuf.h:273
#2 0x6798cc in quote_formatting /home/ramsay/git/ref-filter.c:496
#3 0x68325d in format_ref_array_item /home/ramsay/git/ref-filter.c:2238
#4 0x68358a in show_ref_array_item /home/ramsay/git/ref-filter.c:2262
#5 0x429866 in batch_object_write builtin/cat-file.c:252
#6 0x42b095 in batch_one_object builtin/cat-file.c:306
#7 0x42b095 in batch_objects builtin/cat-file.c:407
#8 0x42b095 in cmd_cat_file builtin/cat-file.c:528
#9 0x40d3cb in run_builtin /home/ramsay/git/git.c:346
#10 0x40d3cb in handle_builtin /home/ramsay/git/git.c:556
#11 0x40f8ae in run_argv /home/ramsay/git/git.c:608
#12 0x40f8ae in cmd_main /home/ramsay/git/git.c:685
#13 0x40b667 in main /home/ramsay/git/common-main.c:43
#14 0x7f1c1ab7982f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#15 0x40ce38 in _start (/home/ramsay/git/git+0x40ce38)
Address 0x7fff132f04a8 is located in stack of thread T0 at offset 328 in frame
#0 0x4296ff in batch_object_write builtin/cat-file.c:245
This frame has 4 object(s):
[32, 36) 'type'
[96, 104) 'contents'
[160, 168) 'size'
[224, 328) 'item' <== Memory access at offset 328 overflows this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 __interceptor_strlen
Shadow bytes around the buggy address:
0x100062656040: 00 00 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00
0x100062656050: 00 00 00 00 f1 f1 f1 f1 00 00 00 f4 f3 f3 f3 f3
0x100062656060: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100062656070: 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
0x100062656080: 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
=>0x100062656090: 00 00 00 00 00[f4]f4 f4 f3 f3 f3 f3 00 00 00 00
0x1000626560a0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x1000626560b0: 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2
0x1000626560c0: 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
0x1000626560d0: 00 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2
0x1000626560e0: 00 00 00 f4 f2 f2 f2 f2 00 00 00 f4 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==12556==ABORTING
Aborted (core dumped)
not ok 15 - Check %(refname) gives empty output
#
# echo "$expected" >expect &&
# echo $sha1 | git cat-file --batch-check="$atoms" >actual &&
# test_cmp expect actual
#
$
... you get a stack-overflow at that very stackframe. Incidentally, the
output from the failed test #15 on cygwin always looked the same:
$ xxd actual
00000000: a0c4 ffff 0a .....
$
So, just as an experiment, I tried changing that variable to a heap
variable and initialising it with an empty ("") refname:
diff --git a/builtin/cat-file.c b/builtin/cat-file.c
index c9d83ceff..12a743034 100644
--- a/builtin/cat-file.c
+++ b/builtin/cat-file.c
@@ -243,19 +243,20 @@ static void print_object_or_die(struct batch_options
*opt, struct expand_data *d
static void batch_object_write(const char *obj_name, struct batch_options
*opt,
struct expand_data *data)
{
- struct ref_array_item item = {0};
+ struct ref_array_item *item;
- item.oid = data->oid;
- item.rest = data->rest;
- item.objectname = obj_name;
+ FLEX_ALLOC_STR(item, refname, "");
+ item->oid = data->oid;
+ item->rest = data->rest;
+ item->objectname = obj_name;
- if (show_ref_array_item(&item, &opt->format))
+ if (show_ref_array_item(item, &opt->format))
return;
if (!opt->buffer_output)
fflush(stdout);
if (opt->print_contents) {
- data->type = item.type;
+ data->type = item->type;
print_object_or_die(opt, data);
batch_write(opt, "\n", 1);
}
--
... and now this test passes on cygwin (and the SANITIZE build on Linux).
Of course, this is not a real fix, since this has probably only changed
the stack-overflow into an un-diagnosed heap-overflow bug! ;-)
However, the above should provide enough info for someone more familiar
with the code to implement a correct fix.
[BTW, the symbol that should be marked static is: cat_file_info, in file
ref-filter.c, line 103.]
ATB,
Ramsay Jones
