Re: [PATCH 1/2] sequencer: fix "rebase -i --root" corrupting author header

From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
To: Eric Sunshine <sunshine@sunshineco.com>
Cc: git@vger.kernel.org, Phillip Wood <phillip.wood@talktalk.net>,
	Akinori MUSHA <knu@iDaemons.org>,
	Junio C Hamano <gitster@pobox.com>
Subject: Re: [PATCH 1/2] sequencer: fix "rebase -i --root" corrupting author header
Date: Mon, 30 Jul 2018 17:44:23 +0200 (DST)	[thread overview]
Message-ID: <nycvar.QRO.7.76.6.1807301744090.10478@tvgsbejvaqbjf.bet> (raw)
In-Reply-To: <20180730092929.71114-2-sunshine@sunshineco.com>

Hi Eric,

On Mon, 30 Jul 2018, Eric Sunshine wrote:

> When "git rebase -i --root" creates a new root commit (say, by swapping
> in a different commit for the root), it corrupts the commit's "author"
> header with trailing garbage:
> 
>     author A U Thor <author@example.com> @1112912773 -07000or@example.com
> 
> This is a result of read_author_ident() neglecting to NUL-terminate the
> buffer into which it composes the "author" header.
> 
> (Note that the extra "0" in the timezone is a separate bug which will be
> fixed subsequently.)
> 
> Security considerations: Construction of the "author" header by
> read_author_ident() happens in-place and in parallel with parsing the
> content of "rebase-merge/author-script" which occupies the same buffer.
> This is possible because the constructed "author" header is always
> smaller than the content of "rebase-merge/author-script". Despite
> neglecting to NUL-terminate the constructed "author" header, memory is
> never accessed (either by read_author_ident() or its caller) beyond the
> allocated buffer since a NUL-terminator is present at the end of the
> loaded "rebase-merge/author-script" content, and additional NUL's are
> inserted as part of the parsing process.
> 
> Signed-off-by: Eric Sunshine <sunshine@sunshineco.com>

ACK!

Thanks,
Dscho

> ---
>  sequencer.c                   |  2 +-
>  t/t3404-rebase-interactive.sh | 10 +++++++++-
>  2 files changed, 10 insertions(+), 2 deletions(-)
> 
> diff --git a/sequencer.c b/sequencer.c
> index 16c1411054..78864d9072 100644
> --- a/sequencer.c
> +++ b/sequencer.c
> @@ -744,7 +744,7 @@ static const char *read_author_ident(struct strbuf *buf)
>  		return NULL;
>  	}
>  
> -	buf->len = out - buf->buf;
> +	strbuf_setlen(buf, out - buf->buf);
>  	return buf->buf;
>  }
>  
> diff --git a/t/t3404-rebase-interactive.sh b/t/t3404-rebase-interactive.sh
> index 01616901bd..8509c89a26 100755
> --- a/t/t3404-rebase-interactive.sh
> +++ b/t/t3404-rebase-interactive.sh
> @@ -1238,7 +1238,7 @@ rebase_setup_and_clean () {
>  		test_might_fail git branch -D $1 &&
>  		test_might_fail git rebase --abort
>  	" &&
> -	git checkout -b $1 master
> +	git checkout -b $1 ${2:-master}
>  }
>  
>  test_expect_success 'drop' '
> @@ -1415,4 +1415,12 @@ test_expect_success 'rebase -i --gpg-sign=<key-id> overrides commit.gpgSign' '
>  	test_i18ngrep "$SQ-S\"S I Gner\"$SQ" err
>  '
>  
> +test_expect_success 'valid author header after --root swap' '
> +	rebase_setup_and_clean author-header no-conflict-branch &&
> +	set_fake_editor &&
> +	FAKE_LINES="2 1" git rebase -i --root &&
> +	git cat-file commit HEAD^ >out &&
> +	grep "^author ..* @[0-9][0-9]* [-+][0-9][0-9]*$" out
> +'
> +
>  test_done
> -- 
> 2.18.0.597.ga71716f1ad
> 
> 