chunk-format: note that pair_chunk() is unsafe

The pair_chunk() function is provided as an easy helper for parsing
chunks that just want a pointer to a set of bytes. But every caller has
a hidden bug: because we return only the pointer without the matching
chunk size, the callers have no clue how many bytes they are allowed to
look at. And as a result, they may read off the end of the mmap'd data
when the on-disk file does not match their expectations.

Since chunk files are typically used for local-repository data like
commit-graph files and midx's, the security implications here are pretty
mild. The worst that can happen is that you hand somebody a corrupted
repository tarball, and running Git on it does an out-of-bounds read and
crashes. So it's worth being more defensive, but we don't need to drop
everything and fix every caller immediately.

I noticed the problem because the pair_chunk_fn() callback does not look
at its chunk_size argument, and wanted to annotate it to silence
-Wunused-parameter. We could do that now, but we'd lose the hint that
this code should be audited and fixed.

So instead, let's set ourselves up for going down that path:

  1. Provide a pair_chunk() function that does return the size, which
     prepares us for fixing these cases.

  2. Rename the existing function to pair_chunk_unsafe(). That gives us
     an easy way to grep for cases which still need to be fixed, and the
     name should cause anybody adding new calls to think twice before
     using it.

There are no callers of the "safe" version yet, but we'll add some in
subsequent patches.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/chunk-format.c b/chunk-format.c
index 140dfa0dcc4629fec59f723d025ec36019ff29eb..8d910e23f60ca1a78d213ec671b5733c29f86891 100644 (file)
--- a/chunk-format.c
+++ b/chunk-format.c
@@ -154,20 +154,36 @@ int read_table_of_contents(struct chunkfile *cf,
        return 0;
 }
 
+struct pair_chunk_data {
+       const unsigned char **p;
+       size_t *size;
+};
+
 static int pair_chunk_fn(const unsigned char *chunk_start,
                         size_t chunk_size,
                         void *data)
 {
-       const unsigned char **p = data;
-       *p = chunk_start;
+       struct pair_chunk_data *pcd = data;
+       *pcd->p = chunk_start;
+       *pcd->size = chunk_size;
        return 0;
 }
 
 int pair_chunk(struct chunkfile *cf,
               uint32_t chunk_id,
-              const unsigned char **p)
+              const unsigned char **p,
+              size_t *size)
+{
+       struct pair_chunk_data pcd = { .p = p, .size = size };
+       return read_chunk(cf, chunk_id, pair_chunk_fn, &pcd);
+}
+
+int pair_chunk_unsafe(struct chunkfile *cf,
+                     uint32_t chunk_id,
+                     const unsigned char **p)
 {
-       return read_chunk(cf, chunk_id, pair_chunk_fn, p);
+       size_t dummy;
+       return pair_chunk(cf, chunk_id, p, &dummy);
 }
 
 int read_chunk(struct chunkfile *cf,

diff --git a/chunk-format.h b/chunk-format.h
index c7794e84adda364bc0ad14a3d1d61467d73eaadd..8dce7967f4a93f4396d5c52415a35cb1cc286966 100644 (file)
--- a/chunk-format.h
+++ b/chunk-format.h
@@ -43,13 +43,28 @@ int read_table_of_contents(struct chunkfile *cf,
 /*
  * Find 'chunk_id' in the given chunkfile and assign the
  * given pointer to the position in the mmap'd file where
- * that chunk begins.
+ * that chunk begins. Likewise the "size" parameter is filled
+ * with the size of the chunk.
  *
  * Returns CHUNK_NOT_FOUND if the chunk does not exist.
  */
 int pair_chunk(struct chunkfile *cf,
               uint32_t chunk_id,
-              const unsigned char **p);
+              const unsigned char **p,
+              size_t *size);
+
+/*
+ * Unsafe version of pair_chunk; it does not return the size,
+ * meaning that the caller cannot possibly be careful about
+ * reading out of bounds from the mapped memory.
+ *
+ * No new callers should use this function, and old callers should
+ * be audited and migrated over to using the regular pair_chunk()
+ * function.
+ */
+int pair_chunk_unsafe(struct chunkfile *cf,
+                     uint32_t chunk_id,
+                     const unsigned char **p);
 
 typedef int (*chunk_read_fn)(const unsigned char *chunk_start,
                             size_t chunk_size, void *data);

diff --git a/commit-graph.c b/commit-graph.c
index 1a56efcf69033dad73d56e448874c41a74ffda1e..a689a55b79a8d13054816a55f0c89ca50af957d4 100644 (file)
--- a/commit-graph.c
+++ b/commit-graph.c
@@ -394,17 +394,17 @@ struct commit_graph *parse_commit_graph(struct repo_settings *s,
                                   GRAPH_HEADER_SIZE, graph->num_chunks))
                goto free_and_return;
 
-       pair_chunk(cf, GRAPH_CHUNKID_OIDFANOUT,
+       pair_chunk_unsafe(cf, GRAPH_CHUNKID_OIDFANOUT,
                   (const unsigned char **)&graph->chunk_oid_fanout);
        read_chunk(cf, GRAPH_CHUNKID_OIDLOOKUP, graph_read_oid_lookup, graph);
-       pair_chunk(cf, GRAPH_CHUNKID_DATA, &graph->chunk_commit_data);
-       pair_chunk(cf, GRAPH_CHUNKID_EXTRAEDGES, &graph->chunk_extra_edges);
-       pair_chunk(cf, GRAPH_CHUNKID_BASE, &graph->chunk_base_graphs);
+       pair_chunk_unsafe(cf, GRAPH_CHUNKID_DATA, &graph->chunk_commit_data);
+       pair_chunk_unsafe(cf, GRAPH_CHUNKID_EXTRAEDGES, &graph->chunk_extra_edges);
+       pair_chunk_unsafe(cf, GRAPH_CHUNKID_BASE, &graph->chunk_base_graphs);
 
        if (s->commit_graph_generation_version >= 2) {
-               pair_chunk(cf, GRAPH_CHUNKID_GENERATION_DATA,
+               pair_chunk_unsafe(cf, GRAPH_CHUNKID_GENERATION_DATA,
                        &graph->chunk_generation_data);
-               pair_chunk(cf, GRAPH_CHUNKID_GENERATION_DATA_OVERFLOW,
+               pair_chunk_unsafe(cf, GRAPH_CHUNKID_GENERATION_DATA_OVERFLOW,
                        &graph->chunk_generation_data_overflow);
 
                if (graph->chunk_generation_data)
@@ -412,7 +412,7 @@ struct commit_graph *parse_commit_graph(struct repo_settings *s,
        }
 
        if (s->commit_graph_read_changed_paths) {
-               pair_chunk(cf, GRAPH_CHUNKID_BLOOMINDEXES,
+               pair_chunk_unsafe(cf, GRAPH_CHUNKID_BLOOMINDEXES,
                           &graph->chunk_bloom_indexes);
                read_chunk(cf, GRAPH_CHUNKID_BLOOMDATA,
                           graph_read_bloom_data, graph);

diff --git a/midx.c b/midx.c
index 931f55735037fcc4de53005ef0970e9ed3781885..3165218ab5d767364368272b0426a6c036147d7b 100644 (file)
--- a/midx.c
+++ b/midx.c
@@ -143,19 +143,19 @@ struct multi_pack_index *load_multi_pack_index(const char *object_dir, int local
                                   MIDX_HEADER_SIZE, m->num_chunks))
                goto cleanup_fail;
 
-       if (pair_chunk(cf, MIDX_CHUNKID_PACKNAMES, &m->chunk_pack_names) == CHUNK_NOT_FOUND)
+       if (pair_chunk_unsafe(cf, MIDX_CHUNKID_PACKNAMES, &m->chunk_pack_names) == CHUNK_NOT_FOUND)
                die(_("multi-pack-index missing required pack-name chunk"));
        if (read_chunk(cf, MIDX_CHUNKID_OIDFANOUT, midx_read_oid_fanout, m) == CHUNK_NOT_FOUND)
                die(_("multi-pack-index missing required OID fanout chunk"));
-       if (pair_chunk(cf, MIDX_CHUNKID_OIDLOOKUP, &m->chunk_oid_lookup) == CHUNK_NOT_FOUND)
+       if (pair_chunk_unsafe(cf, MIDX_CHUNKID_OIDLOOKUP, &m->chunk_oid_lookup) == CHUNK_NOT_FOUND)
                die(_("multi-pack-index missing required OID lookup chunk"));
-       if (pair_chunk(cf, MIDX_CHUNKID_OBJECTOFFSETS, &m->chunk_object_offsets) == CHUNK_NOT_FOUND)
+       if (pair_chunk_unsafe(cf, MIDX_CHUNKID_OBJECTOFFSETS, &m->chunk_object_offsets) == CHUNK_NOT_FOUND)
                die(_("multi-pack-index missing required object offsets chunk"));
 
-       pair_chunk(cf, MIDX_CHUNKID_LARGEOFFSETS, &m->chunk_large_offsets);
+       pair_chunk_unsafe(cf, MIDX_CHUNKID_LARGEOFFSETS, &m->chunk_large_offsets);
 
        if (git_env_bool("GIT_TEST_MIDX_READ_RIDX", 1))
-               pair_chunk(cf, MIDX_CHUNKID_REVINDEX, &m->chunk_revindex);
+               pair_chunk_unsafe(cf, MIDX_CHUNKID_REVINDEX, &m->chunk_revindex);
 
        m->num_objects = ntohl(m->chunk_oid_fanout[255]);