Crash when using git blame on untracked file

Crash when using git blame on untracked file

[Simon Ruderich]

[-- Attachment #1: Type: text/plain, Size: 1274 bytes --]

Hello,

I'm seeing the following crash with Git 2.9.3 on Debian sid
(amd64):

    $ git init foo
    $ cd foo
    $ touch x
    $ git add x
    $ git commit -m test
    $ touch x.conf
    $ git blame x.conf
    segmentation fault

I've tested it on Debian stable's 2.1.4 which works fine:

    $ git blame x.conf
    fatal: no such path 'x.conf' in HEAD

It requires the blamed file to be present, but in some cases it
works only if the file e.g. "x" is already tracked in Git and the
other file is called "x.conf" (".conf"-suffix). But in an empty
repo it seems to happen always.

Sadly Debian's git has no dbg-package, so the stacktrace is not
very useful:

    #0  __strcmp_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:31
    #1  0x000000000041ad7a in ?? ()
    #2  0x0000000000406171 in ?? ()
    #3  0x0000000000405321 in ?? ()
    #4  0x00007ffff6f9f700 in __libc_start_main (main=0x4051c0, argc=0x3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
        at ../csu/libc-start.c:291
    #5  0x00000000004057d9 in ?? ()

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: Crash when using git blame on untracked file

[Thomas Gummerer]

Hi,

On 08/27, Simon Ruderich wrote:
> Hello,
> 
> I'm seeing the following crash with Git 2.9.3 on Debian sid
> (amd64):
> 
>     $ git init foo
>     $ cd foo
>     $ touch x
>     $ git add x
>     $ git commit -m test
>     $ touch x.conf
>     $ git blame x.conf
>     segmentation fault
> 
> I've tested it on Debian stable's 2.1.4 which works fine:
> 
>     $ git blame x.conf
>     fatal: no such path 'x.conf' in HEAD
> 
> It requires the blamed file to be present, but in some cases it
> works only if the file e.g. "x" is already tracked in Git and the
> other file is called "x.conf" (".conf"-suffix). But in an empty
> repo it seems to happen always.
> 
> Sadly Debian's git has no dbg-package, so the stacktrace is not
> very useful:
> 
>     #0  __strcmp_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:31
>     #1  0x000000000041ad7a in ?? ()
>     #2  0x0000000000406171 in ?? ()
>     #3  0x0000000000405321 in ?? ()
>     #4  0x00007ffff6f9f700 in __libc_start_main (main=0x4051c0, argc=0x3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
>         at ../csu/libc-start.c:291
>     #5  0x00000000004057d9 in ?? ()
> 

Thank you very much for the bug report.  A proposed fix for it below:

--- >8 ---
Subject: [PATCH] blame: fix segfault on untracked files

Since 3b75ee9 ("blame: allow to blame paths freshly added to the index",
2016-07-16) git blame also looks at the index to determine if there is a
file that was freshly added to the index.

cache_name_pos returns -pos - 1 in case there is no match is found, or
if the name matches, but the entry has a stage other than 0.  As git
blame should work for unmerged files, it uses strcmp to determine
whether the name of the returned position matches, in which case the
file exists, but is merely unmerged, or if the file actually doesn't
exist in the index.

If the repository is empty, or if the file would lexicographically be
sorted as the last file in the repository, -cache_name_pos - 1 is
outside of the length of the active_cache array, causing git blame to
segfault.  Guard against that, and die() normally to restore the old
behaviour.

Reported-by: Simon Ruderich <simon@ruderich.org>
Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com>
---
 builtin/blame.c  | 3 ++-
 t/t8002-blame.sh | 7 +++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/builtin/blame.c b/builtin/blame.c
index 7ec7823..a5bbf91 100644
--- a/builtin/blame.c
+++ b/builtin/blame.c
@@ -2244,7 +2244,8 @@ static void verify_working_tree_path(struct commit *work_tree, const char *path)
 	pos = cache_name_pos(path, strlen(path));
 	if (pos >= 0)
 		; /* path is in the index */
-	else if (!strcmp(active_cache[-1 - pos]->name, path))
+	else if (-1 - pos < active_nr &&
+		 !strcmp(active_cache[-1 - pos]->name, path))
 		; /* path is in the index, unmerged */
 	else
 		die("no such path '%s' in HEAD", path);
diff --git a/t/t8002-blame.sh b/t/t8002-blame.sh
index ff09ace..7983bb7 100755
--- a/t/t8002-blame.sh
+++ b/t/t8002-blame.sh
@@ -6,6 +6,13 @@ test_description='git blame'
 PROG='git blame -c'
 . "$TEST_DIRECTORY"/annotate-tests.sh
 
+test_expect_success 'blame untracked file in empty repo' '
+	touch untracked &&
+	test_must_fail git blame untracked 2>actual.err &&
+	echo "fatal: no such path '\''untracked'\'' in HEAD" >expected.err &&
+	test_cmp expected.err actual.err
+'
+
 PROG='git blame -c -e'
 test_expect_success 'blame --show-email' '
 	check_count \
-- 
2.8.4.1.g3b75ee9

Re: Crash when using git blame on untracked file

[Junio C Hamano]

Thomas Gummerer <t.gummerer@gmail.com> writes:

> Subject: [PATCH] blame: fix segfault on untracked files
>
> Since 3b75ee9 ("blame: allow to blame paths freshly added to the index",
> 2016-07-16) git blame also looks at the index to determine if there is a
> file that was freshly added to the index.
>
> cache_name_pos returns -pos - 1 in case there is no match is found, or
> if the name matches, but the entry has a stage other than 0.  As git
> blame should work for unmerged files, it uses strcmp to determine
> whether the name of the returned position matches, in which case the
> file exists, but is merely unmerged, or if the file actually doesn't
> exist in the index.
>
> If the repository is empty, or if the file would lexicographically be
> sorted as the last file in the repository, -cache_name_pos - 1 is
> outside of the length of the active_cache array, causing git blame to
> segfault.  Guard against that, and die() normally to restore the old
> behaviour.
>
> Reported-by: Simon Ruderich <simon@ruderich.org>
> Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com>
> ---

This is a recent regression and unfortunately is also in 2.9.3; the
patch looks obviously correct.

>  builtin/blame.c  | 3 ++-
>  t/t8002-blame.sh | 7 +++++++
>  2 files changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/builtin/blame.c b/builtin/blame.c
> index 7ec7823..a5bbf91 100644
> --- a/builtin/blame.c
> +++ b/builtin/blame.c
> @@ -2244,7 +2244,8 @@ static void verify_working_tree_path(struct commit *work_tree, const char *path)
>  	pos = cache_name_pos(path, strlen(path));
>  	if (pos >= 0)
>  		; /* path is in the index */
> -	else if (!strcmp(active_cache[-1 - pos]->name, path))
> +	else if (-1 - pos < active_nr &&
> +		 !strcmp(active_cache[-1 - pos]->name, path))
>  		; /* path is in the index, unmerged */
>  	else
>  		die("no such path '%s' in HEAD", path);
> diff --git a/t/t8002-blame.sh b/t/t8002-blame.sh
> index ff09ace..7983bb7 100755
> --- a/t/t8002-blame.sh
> +++ b/t/t8002-blame.sh
> @@ -6,6 +6,13 @@ test_description='git blame'
>  PROG='git blame -c'
>  . "$TEST_DIRECTORY"/annotate-tests.sh
>  
> +test_expect_success 'blame untracked file in empty repo' '
> +	touch untracked &&
> +	test_must_fail git blame untracked 2>actual.err &&
> +	echo "fatal: no such path '\''untracked'\'' in HEAD" >expected.err &&
> +	test_cmp expected.err actual.err
> +'

The point of this fix is not that we show the exact error message,
but we fail in a controlled manner.  I think

        test_expect_success 'blame untracked file in empty repo' '
                >untracked &&
                test_must_fail git blame untracked
        '

is sufficient.

Thanks.

>  PROG='git blame -c -e'
>  test_expect_success 'blame --show-email' '
>  	check_count \

[PATCH v2] blame: fix segfault on untracked files

[Thomas Gummerer]

Since 3b75ee9 ("blame: allow to blame paths freshly added to the index",
2016-07-16) git blame also looks at the index to determine if there is a
file that was freshly added to the index.

cache_name_pos returns -pos - 1 in case there is no match is found, or
if the name matches, but the entry has a stage other than 0.  As git
blame should work for unmerged files, it uses strcmp to determine
whether the name of the returned position matches, in which case the
file exists, but is merely unmerged, or if the file actually doesn't
exist in the index.

If the repository is empty, or if the file would lexicographically be
sorted as the last file in the repository, -cache_name_pos - 1 is
outside of the length of the active_cache array, causing git blame to
segfault.  Guard against that, and die() normally to restore the old
behaviour.

Reported-by: Simon Ruderich <simon@ruderich.org>
Helped-by: Junio C Hamano <gitster@pobox.com>
Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com>
---
> The point of this fix is not that we show the exact error message,
> but we fail in a controlled manner.  I think
>
> test_expect_success 'blame untracked file in empty repo' '
>                >untracked &&
>                test_must_fail git blame untracked
>        '
>
> is sufficient.

Yeah, I agree with that.

Thanks for the review!

 builtin/blame.c  | 3 ++-
 t/t8002-blame.sh | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/builtin/blame.c b/builtin/blame.c
index 7ec7823..a5bbf91 100644
--- a/builtin/blame.c
+++ b/builtin/blame.c
@@ -2244,7 +2244,8 @@ static void verify_working_tree_path(struct commit *work_tree, const char *path)
 	pos = cache_name_pos(path, strlen(path));
 	if (pos >= 0)
 		; /* path is in the index */
-	else if (!strcmp(active_cache[-1 - pos]->name, path))
+	else if (-1 - pos < active_nr &&
+		 !strcmp(active_cache[-1 - pos]->name, path))
 		; /* path is in the index, unmerged */
 	else
 		die("no such path '%s' in HEAD", path);
diff --git a/t/t8002-blame.sh b/t/t8002-blame.sh
index ff09ace..ab79de9 100755
--- a/t/t8002-blame.sh
+++ b/t/t8002-blame.sh
@@ -6,6 +6,11 @@ test_description='git blame'
 PROG='git blame -c'
 . "$TEST_DIRECTORY"/annotate-tests.sh
 
+test_expect_success 'blame untracked file in empty repo' '
+	>untracked &&
+	test_must_fail git blame untracked
+'
+
 PROG='git blame -c -e'
 test_expect_success 'blame --show-email' '
 	check_count \
-- 
2.10.0.rc2.246.g4fd2c60

Re: [PATCH v2] blame: fix segfault on untracked files

[Junio C Hamano]

Thomas Gummerer <t.gummerer@gmail.com> writes:

>> The point of this fix is not that we show the exact error message,
>> but we fail in a controlled manner.  I think
>>
>> test_expect_success 'blame untracked file in empty repo' '
>>                >untracked &&
>>                test_must_fail git blame untracked
>>        '
>>
>> is sufficient.
>
> Yeah, I agree with that.
>
> Thanks for the review!

Thanks for a quick follow-up fix during -rc period.

>>  builtin/blame.c  | 3 ++-
>  t/t8002-blame.sh | 5 +++++
>  2 files changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/builtin/blame.c b/builtin/blame.c
> index 7ec7823..a5bbf91 100644
> --- a/builtin/blame.c
> +++ b/builtin/blame.c
> @@ -2244,7 +2244,8 @@ static void verify_working_tree_path(struct commit *work_tree, const char *path)
>  	pos = cache_name_pos(path, strlen(path));
>  	if (pos >= 0)
>  		; /* path is in the index */
> -	else if (!strcmp(active_cache[-1 - pos]->name, path))
> +	else if (-1 - pos < active_nr &&
> +		 !strcmp(active_cache[-1 - pos]->name, path))
>  		; /* path is in the index, unmerged */
>  	else
>  		die("no such path '%s' in HEAD", path);
> diff --git a/t/t8002-blame.sh b/t/t8002-blame.sh
> index ff09ace..ab79de9 100755
> --- a/t/t8002-blame.sh
> +++ b/t/t8002-blame.sh
> @@ -6,6 +6,11 @@ test_description='git blame'
>  PROG='git blame -c'
>  . "$TEST_DIRECTORY"/annotate-tests.sh
>  
> +test_expect_success 'blame untracked file in empty repo' '
> +	>untracked &&
> +	test_must_fail git blame untracked
> +'
> +
>  PROG='git blame -c -e'
>  test_expect_success 'blame --show-email' '
>  	check_count \