1. 27 Aug, 2019 4 commits
    • iterator: remove duplicate memset · 699de9c5
      When allocating new tree iterator frames, we zero out the allocated
      memory twice. Remove one of the `memset` calls.
      Patrick Steinhardt committed
    • iterator: avoid leaving partially initialized frame on stack · 9ca7a60e
      When allocating tree iterator entries, we use GIT_ERROR_ALLOC_CHECK` to
      check whether the allocation has failed. The macro will cause the
      function to immediately return, though, leaving behind a partially
      initialized iterator frame.
      
      Fix the issue by manually checking for memory allocation errors and
      using `goto done` in case of an error, popping the iterator frame.
      Patrick Steinhardt committed
    • diff_generate: detect memory allocation errors when preparing opts · fe241071
      When preparing options for the two iterators that are about to be
      diffed, we allocate a common prefix for both iterators depending on
      the options passed by the user. We do not check whether the allocation
      was successful, though. In fact, this isn't much of a problem, as using
      a `NULL` prefix is perfectly fine. But in the end, we probably want to
      detect that the system doesn't have any memory left, as we're unlikely
      to be able to continue afterwards anyway.
      
      While the issue is being fixed in the newly created function
      `diff_prepare_iterator_opts`, it has been previously existing in the
      previous macro `DIFF_FROM_ITERATORS` already.
      Patrick Steinhardt committed
    • diff_generate: refactor `DIFF_FROM_ITERATORS` macro of doom · 8a23597b
      While the `DIFF_FROM_ITERATORS` does make it shorter to implement the
      various `git_diff_foo_to_bar` functions, it is a complex and unreadable
      beast that implicitly assumes certain local variable names. This is not
      something desirable to have at all and obstructs understanding and more
      importantly debugging the code by quite a bit.
      
      The `DIFF_FROM_ITERATORS` macro basically removed the burden of having
      to derive the options for both iterators from a pair of iterator flags
      and the diff options. This patch introduces a new function that does the
      that exact and refactors all callers to manage the iterators by
      themselves.
      
      As we potentially need to allocate a shared prefix for the
      iterator, we need to tell the caller to allocate that prefix as soon as
      the options aren't required anymore. Thus, the function has a `char
      **prefix` out pointer that will get set to the allocated string and
      subsequently be free'd by the caller.
      
      While this patch increases the line count, I personally deem this to an
      acceptable tradeoff for increased readbiblity.
      Patrick Steinhardt committed
  2. 14 Aug, 2019 1 commit
  3. 13 Aug, 2019 5 commits
    • Merge pull request #5202 from libgit2/users/ethomson/security_updates · 08cfa43d
      Security updates from 0.28.3
      Edward Thomson committed
    • commit_list: fix possible buffer overflow in `commit_quick_parse` · 57a9ccd5
      The function `commit_quick_parse` provides a way to quickly parse
      parts of a commit without storing or verifying most of its
      metadata. The first thing it does is calculating the number of
      parents by skipping "parent " lines until it finds the first
      non-parent line. Afterwards, this parent count is passed to
      `alloc_parents`, which will allocate an array to store all the
      parent.
      
      To calculate the amount of storage required for the parents
      array, `alloc_parents` simply multiplicates the number of parents
      with the respective elements's size. This already screams "buffer
      overflow", and in fact this problem is getting worse by the
      result being cast to an `uint32_t`.
      
      In fact, triggering this is possible: git-hash-object(1) will
      happily write a commit with multiple millions of parents for you.
      I've stopped at 67,108,864 parents as git-hash-object(1)
      unfortunately soaks up the complete object without streaming
      anything to disk and thus will cause an OOM situation at a later
      point. The point here is: this commit was about 4.1GB of size but
      compressed down to 24MB and thus easy to distribute.
      
      The above doesn't yet trigger the buffer overflow, thus. As the
      array's elements are all pointers which are 8 bytes on 64 bit, we
      need a total of 536,870,912 parents to trigger the overflow to
      `0`. The effect is that we're now underallocating the array
      and do an out-of-bound writes. As the buffer is kindly provided
      by the adversary, this may easily result in code execution.
      
      Extrapolating from the test file with 67m commits to the one with
      536m commits results in a factor of 8. Thus the uncompressed
      contents would be about 32GB in size and the compressed ones
      192MB. While still easily distributable via the network, only
      servers will have that amount of RAM and not cause an
      out-of-memory condition previous to triggering the overflow. This
      at least makes this attack not an easy vector for client-side use
      of libgit2.
      Patrick Steinhardt committed
    • config: validate ownership of C:\ProgramData\Git\config before using it · cb1439c9
      When the VirtualStore feature is in effect, it is safe to let random
      users write into C:\ProgramData because other users won't see those
      files. This seemed to be the case when we introduced support for
      C:\ProgramData\Git\config.
      
      However, when that feature is not in effect (which seems to be the case
      in newer Windows 10 versions), we'd rather not use those files unless
      they come from a trusted source, such as an administrator.
      
      This change imitates the strategy chosen by PowerShell's native OpenSSH
      port to Windows regarding host key files: if a system file is owned
      neither by an administrator, a system account, or the current user, it
      is ignored.
      Johannes Schindelin committed
    • clone: Remove whitespace ssh test · 62b80138
      Will add later when infrastructure is configured
      Ian Hattendorf committed
  4. 12 Aug, 2019 1 commit
  5. 11 Aug, 2019 2 commits
  6. 09 Aug, 2019 1 commit
  7. 07 Aug, 2019 1 commit
  8. 02 Aug, 2019 4 commits
  9. 01 Aug, 2019 11 commits
  10. 29 Jul, 2019 2 commits
  11. 26 Jul, 2019 7 commits
    • config_backend: rename internal structures · 37ebe9ad
      The internal backend structures are kind-of legacy and do not really
      speak for themselves. Rename them accordingly to make them easier to
      understand.
      Patrick Steinhardt committed
    • config_file: separate out read-only backend · 2bff84ba
      To further distinguish the file writeable and readonly backends,
      separate the readonly backend into its own "config_snapshot.c"
      implementation. The snapshot backend can be generically used to snapshot
      any type of backend.
      Patrick Steinhardt committed
    • config_file: fix cast of readonly backend · f0b10066
      In `backend_readonly_free`, the passed in config backend is being cast
      to a `diskfile_backend` instead of to a `diskfile_readonly_backend`.
      While this works out just fine because we only access its header values,
      which were shared between both backends, it is undefined behaviour.
      
      Use the correct type to fix this.
      Patrick Steinhardt committed
    • config_file: remove shared `diskfile_header` struct · a3159df8
      The `diskfile_header` structure is shared between both
      `diskfile_backend` and `diskfile_readonly_backend`. The separation and
      resulting casting is confusing at times and a source for programming
      errors.
      
      Remove the shared structure and inline them directly.
      Patrick Steinhardt committed
    • config_file: duplicate accessors for readonly backend · 271e5fba
      While most functions of the readonly configuration backend are
      implemented separately from the writeable configuration backend, the two
      functions `config_iterator_new` and `config_get` are shared between
      both. This sharing makes it necessary to have some shared data
      structures, which is the `diskfile_header` structure. Unfortunately, this
      makes the backends harder to grasp than necessary due to all the casting
      between structs and also quite error prone.
      
      Reimplement those functions for the readonly backends. As readonly
      backends cannot be refreshed anyway, we can remove the calls to
      `config_refresh` in there.
      Patrick Steinhardt committed
    • config_file: reimplement `config_readonly_open` generically · 4e7ce1fb
      The `config_readonly_open` function currently receives as input a
      diskfile backend and will copy its entries to a new snapshot. This is
      rather intimate, as we need to assume that the source config backend is
      in fact a diskfile entry. We can do better than this though by using
      generic methods to copy contents of the provided backend, e.g. by using
      a config iterator. This also allows us to decouple the read-only backend
      from the read-write backend.
      Patrick Steinhardt committed
    • config_entries: fix possible segfault when duplicating entries · 76182e84
      When duplicating a configuration entry, we allocate a new entry but do
      not verify that we get a valid pointer back. As we're dereferencing the
      pointer afterwards, we might thus run into a segfault in out-of-memory
      situations.
      
      Extract a new function `git_config_entries_dup_entry` that handles the
      complete entry duplication. Fix the error by using
      `GIT_ERROR_CHECK_ALLOC`.
      Patrick Steinhardt committed
  12. 25 Jul, 2019 1 commit