Skip to content

Correct git_revparse_single and add revparse fuzzing #6730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Feb 6, 2024
Merged

Correct git_revparse_single and add revparse fuzzing #6730

merged 5 commits into from
Feb 6, 2024

Conversation

ethomson
Copy link
Member

@ethomson ethomson commented Feb 6, 2024

  1. Introduce address sanitization during builds. Surprisingly, although we enabled various sanitizers (thread, memory, undefinedbehavior) we did not have address sanitizer running. Add that.

  2. Address sanitizer correctly detected a failure to correctly parse capabilities in a first pkt. In our test corpus we have a message with no capabilities (the length of the message is the ref advertisement plus a trailing NUL). We walk off the end of that string trying to read capabilities. Now we honor the len before checking for caps.

  3. Update revparse to correctly stop parsing spec when we find a trailing @. Thanks to the Amazon AWS Security team for finding and responsibly disclosing this.

@ethomson
fuzzers: provide util functions like repo init
8bd6957 
Many fuzzers will need to operate with a repository; extract the
repository initialization from downloads_refs_fuzzer.c into its own
utility area.
@ethomson
fuzzer: add a revparse fuzzer
f015996
@ethomson
fuzzer: run address sanitization during fuzzing
cef060a
@ethomson
transport: safely handle messages with no caps
d41d321 
If there are no caps, don't try to advance past the first NULL to look
for object-format. This prevents a possible out-of-bounds read.
@ethomson
revparse: fix parsing bug for trailing @
d353cf4 
When parsing a revspec that ends with a trailing `@`, explicitly stop
parsing. Introduce a sentinel variable to explicitly stop parsing.

Prior to this, we would set `spec` to `HEAD`, but were looping on the
value of `spec[pos]`, so we would continue walking the (new) `spec`
at offset `pos`, looking for a NUL. This is obviously an out-of-bounds
read.

Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
@ethomson
Copy link
Member Author

ethomson commented Feb 6, 2024

Note: this was included in v1.6.5 and v1.7.2.

@ethomson ethomson merged commit 5f9e67a into main Feb 6, 2024
@ethomson ethomson deleted the ethomson/revparse branch February 6, 2024 21:40
@branchvincent branchvincent mentioned this pull request Mar 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ethomson