git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jeff King <peff@peff.net>
To: Luat Nguyen <root@l4w.io>
Cc: git@vger.kernel.org
Subject: [PATCH 4/3] ewah: adjust callers of ewah_read_mmap()
Date: Thu, 14 Jun 2018 23:44:43 -0400	[thread overview]
Message-ID: <20180615034442.GA14422@sigill.intra.peff.net> (raw)
In-Reply-To: <20180615032850.GA23241@sigill.intra.peff.net>

On Thu, Jun 14, 2018 at 11:28:50PM -0400, Jeff King wrote:

> Yep. We also fail to check if we even have enough bytes to read the
> buffer_size in the first place.
> 
> Here are some patches. The first one fixes the problem you found. The
> second one drops some dead code that has a related problem. And the
> third just drops some dead code that I noticed in the same file. :)
> 
>   [1/3]: ewah_read_mmap: bounds-check mmap reads
>   [2/3]: ewah: drop ewah_deserialize function
>   [3/3]: ewah: drop ewah_serialize_native function

Actually, we'd want this one on top. Arguably it could be squashed into
patch 1.

-- >8 --
Subject: ewah: adjust callers of ewah_read_mmap()

The return value of ewah_read_mmap() is now an ssize_t,
since we could (in theory) process up to 32GB of data. This
would never happen in practice, but a corrupt or malicious
.bitmap or index file could convince us to do so.

Let's make sure that we don't stuff the value into an int,
which would cause us to incorrectly move our pointer
forward.  We'd always move too little, since negative values
are used for reporting errors. So the worst case is just
that we end up reporting a corrupt file, not an
out-of-bounds read.

Signed-off-by: Jeff King <peff@peff.net>
---
 dir.c         | 3 ++-
 pack-bitmap.c | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/dir.c b/dir.c
index 61b513a078..d5185660f1 100644
--- a/dir.c
+++ b/dir.c
@@ -2725,7 +2725,8 @@ struct untracked_cache *read_untracked_extension(const void *data, unsigned long
 	struct read_data rd;
 	const unsigned char *next = data, *end = (const unsigned char *)data + sz;
 	const char *ident;
-	int ident_len, len;
+	int ident_len;
+	ssize_t len;
 	const char *exclude_per_dir;
 
 	if (sz <= 1 || end[-1] != '\0')
diff --git a/pack-bitmap.c b/pack-bitmap.c
index 369bf69d75..2f27b10e35 100644
--- a/pack-bitmap.c
+++ b/pack-bitmap.c
@@ -125,7 +125,7 @@ static struct ewah_bitmap *read_bitmap_1(struct bitmap_index *index)
 {
 	struct ewah_bitmap *b = ewah_pool_new();
 
-	int bitmap_size = ewah_read_mmap(b,
+	ssize_t bitmap_size = ewah_read_mmap(b,
 		index->map + index->map_pos,
 		index->map_size - index->map_pos);
 
-- 
2.18.0.rc2.534.g53d976aeb8


  parent reply	other threads:[~2018-06-15  3:44 UTC|newest]

Thread overview: 58+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-14 22:59 security: potential out-of-bound read at ewah_io.c |ewah_read_mmap| Luat Nguyen
2018-06-15  3:28 ` Jeff King
2018-06-15  3:31   ` [PATCH 1/3] ewah_read_mmap: bounds-check mmap reads Jeff King
2018-06-15  9:14     ` SZEDER Gábor
2018-06-15 16:20       ` Junio C Hamano
2018-06-15 17:10         ` SZEDER Gábor
2018-06-15 17:21           ` Jeff King
2018-06-15 19:42             ` Junio C Hamano
2018-06-15 17:05     ` Junio C Hamano
2018-06-15 17:26       ` Jeff King
2018-06-15 19:44         ` Junio C Hamano
2018-06-16 14:35     ` SZEDER Gábor
2018-06-16 19:14       ` Jeff King
2018-06-15  3:31   ` [PATCH 2/3] ewah: drop ewah_deserialize function Jeff King
2018-06-15  3:32   ` [PATCH 3/3] ewah: drop ewah_serialize_native function Jeff King
2018-06-15 13:56     ` Ramsay Jones
2018-06-15 14:07       ` Ramsay Jones
2018-06-15 14:30         ` [PATCH 0/8] Delete unused methods in EWAH bitmap Derrick Stolee
2018-06-15 14:30           ` [PATCH 1/8] ewah/bitmap.c: delete unused 'bitmap_clear()' Derrick Stolee
2018-06-15 14:46             ` Ramsay Jones
2018-06-15 15:11               ` Derrick Stolee
2018-06-15 14:30           ` [PATCH 2/8] ewah/bitmap.c: delete unused 'bitmap_each_bit()' Derrick Stolee
2018-06-15 15:03             ` Ramsay Jones
2018-06-15 14:30           ` [PATCH 3/8] ewah_bitmap: delete unused 'ewah_and()' Derrick Stolee
2018-06-15 14:30           ` [PATCH 4/8] ewah_bitmap: delete unused 'ewah_and_not()' Derrick Stolee
2018-06-15 14:30           ` [PATCH 5/8] ewah_bitmap: delete unused 'ewah_not()' Derrick Stolee
2018-06-15 14:30           ` [PATCH 6/8] ewah_bitmap: delete unused 'ewah_or()' Derrick Stolee
2018-06-15 14:30           ` [PATCH 7/8] ewah_io: delete unused 'ewah_serialize()' Derrick Stolee
2018-06-15 14:30           ` [PATCH 8/8] ewah_io: delete unused 'ewah_serialize_native()' Derrick Stolee
2018-06-15 15:01             ` Ramsay Jones
2018-06-15 15:10               ` Derrick Stolee
2018-06-15 14:35           ` [PATCH 0/8] Delete unused methods in EWAH bitmap Derrick Stolee
2018-06-15 18:27           ` [PATCH v2 0/7] " Derrick Stolee
2018-06-15 18:27             ` [PATCH v2 1/7] ewah/bitmap.c: delete unused 'bitmap_clear()' Derrick Stolee
2018-06-15 18:27             ` [PATCH v2 2/7] ewah/bitmap.c: delete unused 'bitmap_each_bit()' Derrick Stolee
2018-06-15 18:27             ` [PATCH v2 3/7] ewah_bitmap: delete unused 'ewah_and()' Derrick Stolee
2018-06-15 18:27             ` [PATCH v2 4/7] ewah_bitmap: delete unused 'ewah_and_not()' Derrick Stolee
2018-06-15 18:27             ` [PATCH v2 5/7] ewah_bitmap: delete unused 'ewah_not()' Derrick Stolee
2018-06-15 18:27             ` [PATCH v2 6/7] ewah_bitmap: delete unused 'ewah_or()' Derrick Stolee
2018-06-15 18:27             ` [PATCH v2 7/7] ewah_io: delete unused 'ewah_serialize()' Derrick Stolee
2018-06-15 18:51             ` [PATCH v2 0/7] Delete unused methods in EWAH bitmap Junio C Hamano
2018-06-15 18:56               ` Derrick Stolee
2018-06-15 19:48                 ` Junio C Hamano
2018-06-15 20:35                   ` Jeff King
2018-06-15 14:15       ` [PATCH 3/3] ewah: drop ewah_serialize_native function Derrick Stolee
2018-06-15 17:51         ` Jeff King
2018-06-15 18:33           ` Junio C Hamano
2018-06-15 18:46             ` Jeff King
2018-06-15  3:44   ` Jeff King [this message]
2018-06-15 11:23     ` [PATCH 4/3] ewah: adjust callers of ewah_read_mmap() Derrick Stolee
2018-06-15 16:41       ` Junio C Hamano
2018-06-15 17:31         ` Jeff King
2018-06-15 18:23           ` Derrick Stolee
2018-06-15 20:38             ` Jeff King
2018-06-15 17:12     ` Junio C Hamano
2018-06-15 16:11   ` security: potential out-of-bound read at ewah_io.c |ewah_read_mmap| Junio C Hamano
2018-06-19 19:00 ` Dyer, Edwin
2018-06-19 19:56   ` Jeff King

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180615034442.GA14422@sigill.intra.peff.net \
    --to=peff@peff.net \
    --cc=git@vger.kernel.org \
    --cc=root@l4w.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).