From patchwork Wed Dec 5 22:32:50 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josh Steadmon X-Patchwork-Id: 10714987 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D72C5109C for ; Wed, 5 Dec 2018 22:32:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C78E12E64F for ; Wed, 5 Dec 2018 22:32:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BB44A2E652; Wed, 5 Dec 2018 22:32:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 34E592E64F for ; Wed, 5 Dec 2018 22:32:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728648AbeLEWc6 (ORCPT ); Wed, 5 Dec 2018 17:32:58 -0500 Received: from mail-it1-f201.google.com ([209.85.166.201]:58192 "EHLO mail-it1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727592AbeLEWc5 (ORCPT ); Wed, 5 Dec 2018 17:32:57 -0500 Received: by mail-it1-f201.google.com with SMTP id n124so17912667itb.7 for ; Wed, 05 Dec 2018 14:32:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to; bh=/ohj4nZbUM+NRK4JxQNk/zvwvcSjo7AQBLrRXYNwEo0=; b=qB+SEneLk0dfTPpr7mdLI8YJbvEW8diHvsiN68hm83RcCQ4cujO6oOYaMYz13m/sHr p6A6VjuzBNJ3FMhnBBkiRgFF9TSdlzccu1G96YmYZAOb1I3NiGY6jpZNWr4ZO5oWJ28e a1QDrwolAgYiIE5c3PPKqXcMPQyuwDOipq0f4ql5JjzQXX7dsJlRjY9KLrDi8ybZI/4/ u5Kl/BzqVYSv8uWdAMMWJ8V1TjOSwDsRcAT6VKklqft4F5vMklieTe6ti0qucKXnb0FR ZzbTn5BbTZtqUCas3IPh5f8jJdC+nbRDT7XTADpaSDfOJFAQWUK/NftTTFKb6hcC/xpX wZOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to; bh=/ohj4nZbUM+NRK4JxQNk/zvwvcSjo7AQBLrRXYNwEo0=; b=hIY1tyYK/pZ+SfqJu6e1cdJtQxVJcUZDAvDQg6+leeGAryHzxO4PL4Rn0lIGTJXIxK Ws+F++kBX4oA4M8GJNOnUdKTPZGaNcUplvtvs3FL2wLXG/lGvR0o8wOkAYXgrTyjN71T 0OlK8voxmV+jdCpD1PV3HwGrZvBARMrxgaKl6rAn/NQtbD8M6b6ZorgwWGBzGrmmNss8 90r1RK58W3c0DBIYsusdSD2I7bjZtGSTHKgm4VQt/ohg2SmfDhhLow8RLa3K7zfED2Hs hILxKLmOQkX0VgchOOLBAsnbBCh13x5CuUb53GRvWakwSKEmokeCvHBvPTtxMmINv//s rn5Q== X-Gm-Message-State: AA+aEWZjYl8NarXSmUqu9+XTi9w3kzYQwzlRv73O9SecJ3T4lfImAK/7 2Y7eAHgbkD7thUXZ7HWc7agRyOypwXdmBI+CXkc4M0+PHGW3B9vPAIBIT+/BeGniFkJ5OvcHhNB 0gnDlHv27ArFQOeijs6wNBtWhCpxFXxlALTt0xSe8c9N4EdIIjcPw7SwoG3NURPs= X-Google-Smtp-Source: AFSGD/W8LQ8/8bTG1/uYtsetNyob1Lm479dlDGitghtV9Qs8PUtq83+3gnFpiLXGnbAvHAKslJIRwzfzy3+QuQ== X-Received: by 2002:a24:1c5:: with SMTP id 188mr9183509itk.12.1544049176664; Wed, 05 Dec 2018 14:32:56 -0800 (PST) Date: Wed, 5 Dec 2018 14:32:50 -0800 In-Reply-To: Message-Id: <53e62baaa8769bf8e90991e32e0d123cc6629559.1544048946.git.steadmon@google.com> Mime-Version: 1.0 References: X-Mailer: git-send-email 2.20.0.rc2.403.gdbc3b29805-goog Subject: [PATCH 1/2] commit-graph, fuzz: Add fuzzer for commit-graph From: Josh Steadmon To: git@vger.kernel.org, stolee@gmail.com Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Breaks load_commit_graph_one() into a new function, parse_commit_graph(). The latter function operates on arbitrary buffers, which makes it suitable as a fuzzing target. Adds fuzz-commit-graph.c, which provides a fuzzing entry point compatible with libFuzzer (and possibly other fuzzing engines). Signed-off-by: Josh Steadmon --- .gitignore | 1 + Makefile | 1 + commit-graph.c | 63 +++++++++++++++++++++++++++++++++------------ fuzz-commit-graph.c | 18 +++++++++++++ 4 files changed, 66 insertions(+), 17 deletions(-) create mode 100644 fuzz-commit-graph.c diff --git a/.gitignore b/.gitignore index 0d77ea5894..8bcf153ed9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +/fuzz-commit-graph /fuzz_corpora /fuzz-pack-headers /fuzz-pack-idx diff --git a/Makefile b/Makefile index 1a44c811aa..6b72f37c29 100644 --- a/Makefile +++ b/Makefile @@ -684,6 +684,7 @@ SCRIPTS = $(SCRIPT_SH_INS) \ ETAGS_TARGET = TAGS +FUZZ_OBJS += fuzz-commit-graph.o FUZZ_OBJS += fuzz-pack-headers.o FUZZ_OBJS += fuzz-pack-idx.o diff --git a/commit-graph.c b/commit-graph.c index 40c855f185..0755359b1a 100644 --- a/commit-graph.c +++ b/commit-graph.c @@ -46,6 +46,10 @@ #define GRAPH_MIN_SIZE (GRAPH_HEADER_SIZE + 4 * GRAPH_CHUNKLOOKUP_WIDTH \ + GRAPH_FANOUT_SIZE + GRAPH_OID_LEN) +struct commit_graph *parse_commit_graph(void *graph_map, int fd, + size_t graph_size); + + char *get_commit_graph_filename(const char *obj_dir) { return xstrfmt("%s/info/commit-graph", obj_dir); @@ -84,16 +88,10 @@ static int commit_graph_compatible(struct repository *r) struct commit_graph *load_commit_graph_one(const char *graph_file) { void *graph_map; - const unsigned char *data, *chunk_lookup; size_t graph_size; struct stat st; - uint32_t i; - struct commit_graph *graph; + struct commit_graph *ret; int fd = git_open(graph_file); - uint64_t last_chunk_offset; - uint32_t last_chunk_id; - uint32_t graph_signature; - unsigned char graph_version, hash_version; if (fd < 0) return NULL; @@ -108,27 +106,61 @@ struct commit_graph *load_commit_graph_one(const char *graph_file) die(_("graph file %s is too small"), graph_file); } graph_map = xmmap(NULL, graph_size, PROT_READ, MAP_PRIVATE, fd, 0); + ret = parse_commit_graph(graph_map, fd, graph_size); + + if (ret == NULL) { + munmap(graph_map, graph_size); + close(fd); + exit(1); + } + + return ret; +} + +/* + * This function is intended to be used only from load_commit_graph_one() or in + * fuzz tests. + */ +struct commit_graph *parse_commit_graph(void *graph_map, int fd, + size_t graph_size) +{ + const unsigned char *data, *chunk_lookup; + uint32_t i; + struct commit_graph *graph; + uint64_t last_chunk_offset; + uint32_t last_chunk_id; + uint32_t graph_signature; + unsigned char graph_version, hash_version; + + /* + * This should already be checked in load_commit_graph_one, but we still + * need a check here for when we're calling parse_commit_graph directly + * from fuzz tests. We can omit the error message in that case. + */ + if (graph_size < GRAPH_MIN_SIZE) + return NULL; + data = (const unsigned char *)graph_map; graph_signature = get_be32(data); if (graph_signature != GRAPH_SIGNATURE) { error(_("graph signature %X does not match signature %X"), graph_signature, GRAPH_SIGNATURE); - goto cleanup_fail; + return NULL; } graph_version = *(unsigned char*)(data + 4); if (graph_version != GRAPH_VERSION) { error(_("graph version %X does not match version %X"), graph_version, GRAPH_VERSION); - goto cleanup_fail; + return NULL; } hash_version = *(unsigned char*)(data + 5); if (hash_version != GRAPH_OID_VERSION) { error(_("hash version %X does not match version %X"), hash_version, GRAPH_OID_VERSION); - goto cleanup_fail; + return NULL; } graph = alloc_commit_graph(); @@ -152,7 +184,8 @@ struct commit_graph *load_commit_graph_one(const char *graph_file) if (chunk_offset > graph_size - GIT_MAX_RAWSZ) { error(_("improper chunk offset %08x%08x"), (uint32_t)(chunk_offset >> 32), (uint32_t)chunk_offset); - goto cleanup_fail; + free(graph); + return NULL; } switch (chunk_id) { @@ -187,7 +220,8 @@ struct commit_graph *load_commit_graph_one(const char *graph_file) if (chunk_repeated) { error(_("chunk id %08x appears multiple times"), chunk_id); - goto cleanup_fail; + free(graph); + return NULL; } if (last_chunk_id == GRAPH_CHUNKID_OIDLOOKUP) @@ -201,11 +235,6 @@ struct commit_graph *load_commit_graph_one(const char *graph_file) } return graph; - -cleanup_fail: - munmap(graph_map, graph_size); - close(fd); - exit(1); } static void prepare_commit_graph_one(struct repository *r, const char *obj_dir) diff --git a/fuzz-commit-graph.c b/fuzz-commit-graph.c new file mode 100644 index 0000000000..420851d0d2 --- /dev/null +++ b/fuzz-commit-graph.c @@ -0,0 +1,18 @@ +#include "object-store.h" +#include "commit-graph.h" + +struct commit_graph *parse_commit_graph(void *graph_map, int fd, + size_t graph_size); + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + struct commit_graph *g; + + g = parse_commit_graph((void *) data, -1, size); + if (g) + free(g); + + return 0; +} From patchwork Wed Dec 5 22:32:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josh Steadmon X-Patchwork-Id: 10714989 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2C61D15A6 for ; Wed, 5 Dec 2018 22:33:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1E9812E64F for ; Wed, 5 Dec 2018 22:33:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1268E2E652; Wed, 5 Dec 2018 22:33:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B55E72E64F for ; Wed, 5 Dec 2018 22:33:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728670AbeLEWdA (ORCPT ); Wed, 5 Dec 2018 17:33:00 -0500 Received: from mail-qt1-f201.google.com ([209.85.160.201]:39363 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727592AbeLEWdA (ORCPT ); Wed, 5 Dec 2018 17:33:00 -0500 Received: by mail-qt1-f201.google.com with SMTP id u20so22188632qtk.6 for ; Wed, 05 Dec 2018 14:33:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to; bh=mTIKFfcW5LJ4Ek7rhxlxsP5P/TLR1OL2OWgCGOJoOKk=; b=kEIox6TvEgfmcyjr/fBCEtTP93KEtqpjsYRaRr92Zhoe1REsJ99sxFT3uAbLRrClwi S3vBLprXGz0xVMwIrrv0oINyawRDUYBd8qg/yxu/Hzaua856eP3wY/680r/DWK2wz+TI ia+f+AwfqMZZLC/OejzcuMFBJ90TwXmAqXZKR2qz92D6vHGdz6bQ9T+VEMKM1oO0VqNy Lx9auJYdmDIPo06TLt1294Y7FWFoAc6QfaZhdceyPQbRajHhe1VCbceNyf4iX5NrN0Rz jivq3b5xIvCPXceotWBBEWc5tExgkWy3hk12faF33uTgGo4HaUieyQ6Q1Zs1JzoE4sHL JuPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to; bh=mTIKFfcW5LJ4Ek7rhxlxsP5P/TLR1OL2OWgCGOJoOKk=; b=Zd37r8IHbFZzuHaV2pDk+fC8rRjnj6/DCOIVIonct4J88TsrK26JUcMpXOiDeRJIFh vQLyMi4u/vyKn9oAR4csAsWDa/JyHKHvOz8SOlGuKpHt5UZjF06D57BlYaeVLGFyV7HD GCjIX4YTqMNCNG2Tz+1RjnFW7ShNlKjquHko3b6mrDMxtYzzKA40Cw4PFQSlQQJpZDIe mjEf/MM5aV2iRoBDY/JYg9Dts7oIyI4MbBt8MPf+AofvGDqORGQnnamBQSplnl3HlJse v1wUZxkhVG2cikmjaNLwm28k2AlA19GuEoRQhJqjkhiIDSz9U6SvXyP1amEytnNV9bK2 L+mQ== X-Gm-Message-State: AA+aEWYnIWKQzjNHS9n34TDv/ANi2aBMUR8wGnbI2oq7PSYoZE/LcAH6 npYgTFfqRDLO6rBk/3TAWGFYksksO6ejIUk899Gpc92JlGdWV0uHRf3TpZCgTM/AJ9Dh5HMRkDp eK3opuAw+ZDms+jyQmb5d4ngMIMKezf6iAjhJkwFz0wliyAHH4Iaf4ECmNczb+gg= X-Google-Smtp-Source: AFSGD/Xb6dekCd19Q0dOqaFwpMGfey+s3dAlVpbL6jEcLGlLVkK8G/tMgjxxMCt1AexjJ8AM0esFqUT4FQiExw== X-Received: by 2002:a0c:9dd5:: with SMTP id p21mr20435529qvf.31.1544049179417; Wed, 05 Dec 2018 14:32:59 -0800 (PST) Date: Wed, 5 Dec 2018 14:32:51 -0800 In-Reply-To: Message-Id: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.20.0.rc2.403.gdbc3b29805-goog Subject: [PATCH 2/2] commit-graph: fix buffer read-overflow From: Josh Steadmon To: git@vger.kernel.org, stolee@gmail.com Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP fuzz-commit-graph identified a case where Git will read past the end of a buffer containing a commit graph if the graph's header has an incorrect chunk count. A simple bounds check in parse_commit_graph() prevents this. Signed-off-by: Josh Steadmon Helped-by: Derrick Stolee --- commit-graph.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/commit-graph.c b/commit-graph.c index 0755359b1a..fee171a5f3 100644 --- a/commit-graph.c +++ b/commit-graph.c @@ -175,10 +175,19 @@ struct commit_graph *parse_commit_graph(void *graph_map, int fd, last_chunk_offset = 8; chunk_lookup = data + 8; for (i = 0; i < graph->num_chunks; i++) { - uint32_t chunk_id = get_be32(chunk_lookup + 0); - uint64_t chunk_offset = get_be64(chunk_lookup + 4); + uint32_t chunk_id; + uint64_t chunk_offset; int chunk_repeated = 0; + if (chunk_lookup + GRAPH_CHUNKLOOKUP_WIDTH > data + graph_size) { + error(_("chunk lookup table entry missing; graph file may be incomplete")); + free(graph); + return NULL; + } + + chunk_id = get_be32(chunk_lookup + 0); + chunk_offset = get_be64(chunk_lookup + 4); + chunk_lookup += GRAPH_CHUNKLOOKUP_WIDTH; if (chunk_offset > graph_size - GIT_MAX_RAWSZ) {