From: Ori Bernstein <ori@eigenstate.org>
To: git@vger.kernel.org
Cc: Ori Bernstein <ori@eigenstate.org>
Subject: [PATCH] Avoid infinite loop in malformed packfiles
Date: Sat, 22 Aug 2020 20:11:52 -0700 [thread overview]
Message-ID: <20200823031151.10985-1-ori@eigenstate.org> (raw)
In-Reply-To: <20200823005236.10386-1-ori@eigenstate.org>
In packfile.c:1680, there's an infinite loop that tries to get
to the base of a packfile. With offset deltas, the offset needs
to be greater than 0, so it's always walking backwards, and the
search is guaranteed to terminate.
With reference deltas, there's no check for a cycle in the
references, so a cyclic reference will cause git to loop
infinitely, growing the delta_stack infinitely, which will
cause it to consume all available memory as as a full CPU
core.
This change puts an arbitrary limit of 10,000 on the number
of iterations we make when chasing down a base commit, to
prevent looping forever, using all available memory growing
the delta stack.
Signed-off-by: Ori Bernstein <ori@eigenstate.org>
---
packfile.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/packfile.c b/packfile.c
index 6ab5233613..321e002c50 100644
--- a/packfile.c
+++ b/packfile.c
@@ -1633,6 +1633,7 @@ static void write_pack_access_log(struct packed_git *p, off_t obj_offset)
int do_check_packed_object_crc;
+#define UNPACK_ENTRY_STACK_LIMIT 10000
#define UNPACK_ENTRY_STACK_PREALLOC 64
struct unpack_entry_stack_ent {
off_t obj_offset;
@@ -1715,6 +1716,12 @@ void *unpack_entry(struct repository *r, struct packed_git *p, off_t obj_offset,
break;
}
+ if (delta_stack_nr > UNPACK_ENTRY_STACK_LIMIT) {
+ error("overlong delta chain at offset %jd from %s",
+ (uintmax_t)curpos, p->pack_name);
+ goto out;
+ }
+
/* push object, proceed to base */
if (delta_stack_nr >= delta_stack_alloc
&& delta_stack == small_delta_stack) {
--
2.27.0
next prev parent reply other threads:[~2020-08-23 3:12 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-23 0:52 [PATCH] Avoid infinite loop in malformed packfiles Ori Bernstein
2020-08-23 2:52 ` ori
2020-08-23 3:08 ` Eric Sunshine
2020-08-23 3:11 ` Ori Bernstein [this message]
2020-08-23 6:26 ` René Scharfe
2020-08-23 20:41 ` Ori Bernstein
2020-08-24 16:06 ` René Scharfe
2020-08-24 20:12 ` Jeff King
2020-08-24 20:38 ` Junio C Hamano
2020-08-24 20:52 ` Jeff King
2020-08-24 21:22 ` Junio C Hamano
2020-08-30 3:33 ` ori
2020-08-30 10:56 ` René Scharfe
2020-08-30 16:15 ` Junio C Hamano
2020-08-31 9:29 ` Jeff King
2020-08-31 16:32 ` Junio C Hamano
2020-08-31 19:23 ` Jeff King
2020-08-31 16:50 ` ori
2020-08-24 17:33 ` Junio C Hamano
2020-08-24 20:30 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200823031151.10985-1-ori@eigenstate.org \
--to=ori@eigenstate.org \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.