<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/attr.c, branch v2.32.7</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.32.7</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.32.7'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2023-01-19T21:45:37Z</updated>
<entry>
<title>Sync with maint-2.31</title>
<updated>2023-01-19T21:45:37Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2023-01-19T21:45:37Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=012e0d76dc5b1a994ca68290f9994c5f135902a1'/>
<id>urn:sha1:012e0d76dc5b1a994ca68290f9994c5f135902a1</id>
<content type='text'>
* maint-2.31:
  attr: adjust a mismatched data type
</content>
</entry>
<entry>
<title>Sync with maint-2.30</title>
<updated>2023-01-19T21:45:23Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2023-01-19T21:45:23Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=f8bf6b8f3db21d08d0ef0133b185d2b26f21d041'/>
<id>urn:sha1:f8bf6b8f3db21d08d0ef0133b185d2b26f21d041</id>
<content type='text'>
* maint-2.30:
  attr: adjust a mismatched data type
</content>
</entry>
<entry>
<title>attr: adjust a mismatched data type</title>
<updated>2023-01-19T21:38:06Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>Johannes.Schindelin@gmx.de</email>
</author>
<published>2023-01-12T00:05:02Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=0227130244c007870c106fc613903d078730e45c'/>
<id>urn:sha1:0227130244c007870c106fc613903d078730e45c</id>
<content type='text'>
On platforms where `size_t` does not have the same width as `unsigned
long`, passing a pointer to the former when a pointer to the latter is
expected can lead to problems.

Windows and 32-bit Linux are among the affected platforms.

In this instance, we want to store the size of the blob that was read in
that variable. However, `read_blob_data_from_index()` passes that
pointer to `read_object_file()` which expects an `unsigned long *`.
Which means that on affected platforms, the variable is not fully
populated and part of its value is left uninitialized. (On Big-Endian
platforms, this problem would be even worse.)

The consequence is that depending on the uninitialized memory's
contents, we may erroneously reject perfectly fine attributes.

Let's address this by passing a pointer to a variable of the expected
data type.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Sync with Git 2.31.6</title>
<updated>2022-12-13T12:09:40Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2022-12-13T12:09:40Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=8a755eddf5bf256613bc584f32cd44401a25897c'/>
<id>urn:sha1:8a755eddf5bf256613bc584f32cd44401a25897c</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Sync with Git 2.30.7</title>
<updated>2022-12-13T12:02:20Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2022-12-13T12:02:20Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=16128765d70f1375bcde3f27f51f85492b176a59'/>
<id>urn:sha1:16128765d70f1375bcde3f27f51f85492b176a59</id>
<content type='text'>
</content>
</entry>
<entry>
<title>attr: ignore overly large gitattributes files</title>
<updated>2022-12-05T06:50:03Z</updated>
<author>
<name>Patrick Steinhardt</name>
<email>ps@pks.im</email>
</author>
<published>2022-12-01T14:45:53Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=3c50032ff5289cc45659f21949c8d09e52164579'/>
<id>urn:sha1:3c50032ff5289cc45659f21949c8d09e52164579</id>
<content type='text'>
Similar as with the preceding commit, start ignoring gitattributes files
that are overly large to protect us against out-of-bounds reads and
writes caused by integer overflows. Unfortunately, we cannot just define
"overly large" in terms of any preexisting limits in the codebase.

Instead, we choose a very conservative limit of 100MB. This is plenty of
room for specifying gitattributes, and incidentally it is also the limit
for blob sizes for GitHub. While we don't want GitHub to dictate limits
here, it is still sensible to use this fact for an informed decision
given that it is hosting a huge set of repositories. Furthermore, over
at GitLab we scanned a subset of repositories for their root-level
attribute files. We found that 80% of them have a gitattributes file
smaller than 100kB, 99.99% have one smaller than 1MB, and only a single
repository had one that was almost 3MB in size. So enforcing a limit of
100MB seems to give us ample of headroom.

With this limit in place we can be reasonably sure that there is no easy
way to exploit the gitattributes file via integer overflows anymore.
Furthermore, it protects us against resource exhaustion caused by
allocating the in-memory data structures required to represent the
parsed attributes.

Signed-off-by: Patrick Steinhardt &lt;ps@pks.im&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>attr: ignore attribute lines exceeding 2048 bytes</title>
<updated>2022-12-05T06:33:07Z</updated>
<author>
<name>Patrick Steinhardt</name>
<email>ps@pks.im</email>
</author>
<published>2022-12-01T14:45:48Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=dfa6b32b5e599d97448337ed4fc18dd50c90758f'/>
<id>urn:sha1:dfa6b32b5e599d97448337ed4fc18dd50c90758f</id>
<content type='text'>
There are two different code paths to read gitattributes: once via a
file, and once via the index. These two paths used to behave differently
because when reading attributes from a file, we used fgets(3P) with a
buffer size of 2kB. Consequentially, we silently truncate line lengths
when lines are longer than that and will then parse the remainder of the
line as a new pattern. It goes without saying that this is entirely
unexpected, but it's even worse that the behaviour depends on how the
gitattributes are parsed.

While this is simply wrong, the silent truncation saves us with the
recently discovered vulnerabilities that can cause out-of-bound writes
or reads with unreasonably long lines due to integer overflows. As the
common path is to read gitattributes via the worktree file instead of
via the index, we can assume that any gitattributes file that had lines
longer than that is already broken anyway. So instead of lifting the
limit here, we can double down on it to fix the vulnerabilities.

Introduce an explicit line length limit of 2kB that is shared across all
paths that read attributes and ignore any line that hits this limit
while printing a warning.

Signed-off-by: Patrick Steinhardt &lt;ps@pks.im&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>attr: fix silently splitting up lines longer than 2048 bytes</title>
<updated>2022-12-05T06:29:30Z</updated>
<author>
<name>Patrick Steinhardt</name>
<email>ps@pks.im</email>
</author>
<published>2022-12-01T14:45:44Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=d74b1fd54fdbc45966d12ea907dece11e072fb2b'/>
<id>urn:sha1:d74b1fd54fdbc45966d12ea907dece11e072fb2b</id>
<content type='text'>
When reading attributes from a file we use fgets(3P) with a buffer size
of 2048 bytes. This means that as soon as a line exceeds the buffer size
we split it up into multiple parts and parse each of them as a separate
pattern line. This is of course not what the user intended, and even
worse the behaviour is inconsistent with how we read attributes from the
index.

Fix this bug by converting the code to use `strbuf_getline()` instead.
This will indeed read in the whole line, which may theoretically lead to
an out-of-memory situation when the gitattributes file is huge. We're
about to reject any gitattributes files larger than 100MB in the next
commit though, which makes this less of a concern.

Signed-off-by: Patrick Steinhardt &lt;ps@pks.im&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>attr: harden allocation against integer overflows</title>
<updated>2022-12-05T06:14:16Z</updated>
<author>
<name>Patrick Steinhardt</name>
<email>ps@pks.im</email>
</author>
<published>2022-12-01T14:45:40Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=a60a66e409c265b2944f18bf43581c146812586d'/>
<id>urn:sha1:a60a66e409c265b2944f18bf43581c146812586d</id>
<content type='text'>
When parsing an attributes line, we need to allocate an array that holds
all attributes specified for the given file pattern. The calculation to
determine the number of bytes that need to be allocated was prone to an
overflow though when there was an unreasonable amount of attributes.

Harden the allocation by instead using the `st_` helper functions that
cause us to die when we hit an integer overflow.

Signed-off-by: Patrick Steinhardt &lt;ps@pks.im&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>attr: fix integer overflow with more than INT_MAX macros</title>
<updated>2022-12-05T06:14:16Z</updated>
<author>
<name>Patrick Steinhardt</name>
<email>ps@pks.im</email>
</author>
<published>2022-12-01T14:45:36Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=e1e12e97ac73ded85f7d000da1063a774b3cc14f'/>
<id>urn:sha1:e1e12e97ac73ded85f7d000da1063a774b3cc14f</id>
<content type='text'>
Attributes have a field that tracks the position in the `all_attrs`
array they're stored inside. This field gets set via `hashmap_get_size`
when adding the attribute to the global map of attributes. But while the
field is of type `int`, the value returned by `hashmap_get_size` is an
`unsigned int`. It can thus happen that the value overflows, where we
would now dereference teh `all_attrs` array at an out-of-bounds value.

We do have a sanity check for this overflow via an assert that verifies
the index matches the new hashmap's size. But asserts are not a proper
mechanism to detect against any such overflows as they may not in fact
be compiled into production code.

Fix this by using an `unsigned int` to track the index and convert the
assert to a call `die()`.

Reported-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
