name-hash: don't reuse cache_entry in dir_entry
Stop reusing cache_entry in dir_entry; doing so causes a use-after-free bug. During merges, we free entries that we no longer need in the destination index. But those entries might have also been stored in the dir_entry cache, and when a later call to add_to_index found them, they would be used after being freed. To prevent this, change dir_entry to store a copy of the name instead of a pointer to a cache_entry. This entails some refactoring of code that expects the cache_entry. Keith McGuigan <kmcguigan@twitter.com> diagnosed this bug and wrote the initial patch, but this version does not use any of Keith's code. Helped-by: Keith McGuigan <kmcguigan@twitter.com> Helped-by: Junio C Hamano <gitster@pobox.com> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
parent
441c4a4017
commit
41284eb0f9
3
cache.h
3
cache.h
@ -501,7 +501,8 @@ extern int write_locked_index(struct index_state *, struct lock_file *lock, unsi
|
|||||||
extern int discard_index(struct index_state *);
|
extern int discard_index(struct index_state *);
|
||||||
extern int unmerged_index(const struct index_state *);
|
extern int unmerged_index(const struct index_state *);
|
||||||
extern int verify_path(const char *path);
|
extern int verify_path(const char *path);
|
||||||
extern struct cache_entry *index_dir_exists(struct index_state *istate, const char *name, int namelen);
|
extern int index_dir_exists(struct index_state *istate, const char *name, int namelen);
|
||||||
|
extern void adjust_dirname_case(struct index_state *istate, char *name);
|
||||||
extern struct cache_entry *index_file_exists(struct index_state *istate, const char *name, int namelen, int igncase);
|
extern struct cache_entry *index_file_exists(struct index_state *istate, const char *name, int namelen, int igncase);
|
||||||
extern int index_name_pos(const struct index_state *, const char *name, int namelen);
|
extern int index_name_pos(const struct index_state *, const char *name, int namelen);
|
||||||
#define ADD_CACHE_OK_TO_ADD 1 /* Ok to add */
|
#define ADD_CACHE_OK_TO_ADD 1 /* Ok to add */
|
||||||
|
22
dir.c
22
dir.c
@ -964,29 +964,15 @@ enum exist_status {
|
|||||||
*/
|
*/
|
||||||
static enum exist_status directory_exists_in_index_icase(const char *dirname, int len)
|
static enum exist_status directory_exists_in_index_icase(const char *dirname, int len)
|
||||||
{
|
{
|
||||||
const struct cache_entry *ce = cache_dir_exists(dirname, len);
|
struct cache_entry *ce;
|
||||||
unsigned char endchar;
|
|
||||||
|
|
||||||
if (!ce)
|
if (cache_dir_exists(dirname, len))
|
||||||
return index_nonexistent;
|
|
||||||
endchar = ce->name[len];
|
|
||||||
|
|
||||||
/*
|
|
||||||
* The cache_entry structure returned will contain this dirname
|
|
||||||
* and possibly additional path components.
|
|
||||||
*/
|
|
||||||
if (endchar == '/')
|
|
||||||
return index_directory;
|
return index_directory;
|
||||||
|
|
||||||
/*
|
ce = cache_file_exists(dirname, len, ignore_case);
|
||||||
* If there are no additional path components, then this cache_entry
|
if (ce && S_ISGITLINK(ce->ce_mode))
|
||||||
* represents a submodule. Submodules, despite being directories,
|
|
||||||
* are stored in the cache without a closing slash.
|
|
||||||
*/
|
|
||||||
if (!endchar && S_ISGITLINK(ce->ce_mode))
|
|
||||||
return index_gitdir;
|
return index_gitdir;
|
||||||
|
|
||||||
/* This should never be hit, but it exists just in case. */
|
|
||||||
return index_nonexistent;
|
return index_nonexistent;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
54
name-hash.c
54
name-hash.c
@ -11,16 +11,16 @@
|
|||||||
struct dir_entry {
|
struct dir_entry {
|
||||||
struct hashmap_entry ent;
|
struct hashmap_entry ent;
|
||||||
struct dir_entry *parent;
|
struct dir_entry *parent;
|
||||||
struct cache_entry *ce;
|
|
||||||
int nr;
|
int nr;
|
||||||
unsigned int namelen;
|
unsigned int namelen;
|
||||||
|
char name[FLEX_ARRAY];
|
||||||
};
|
};
|
||||||
|
|
||||||
static int dir_entry_cmp(const struct dir_entry *e1,
|
static int dir_entry_cmp(const struct dir_entry *e1,
|
||||||
const struct dir_entry *e2, const char *name)
|
const struct dir_entry *e2, const char *name)
|
||||||
{
|
{
|
||||||
return e1->namelen != e2->namelen || strncasecmp(e1->ce->name,
|
return e1->namelen != e2->namelen || strncasecmp(e1->name,
|
||||||
name ? name : e2->ce->name, e1->namelen);
|
name ? name : e2->name, e1->namelen);
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct dir_entry *find_dir_entry(struct index_state *istate,
|
static struct dir_entry *find_dir_entry(struct index_state *istate,
|
||||||
@ -41,14 +41,6 @@ static struct dir_entry *hash_dir_entry(struct index_state *istate,
|
|||||||
* closing slash. Despite submodules being a directory, they never
|
* closing slash. Despite submodules being a directory, they never
|
||||||
* reach this point, because they are stored
|
* reach this point, because they are stored
|
||||||
* in index_state.name_hash (as ordinary cache_entries).
|
* in index_state.name_hash (as ordinary cache_entries).
|
||||||
*
|
|
||||||
* Note that the cache_entry stored with the dir_entry merely
|
|
||||||
* supplies the name of the directory (up to dir_entry.namelen). We
|
|
||||||
* track the number of 'active' files in a directory in dir_entry.nr,
|
|
||||||
* so we can tell if the directory is still relevant, e.g. for git
|
|
||||||
* status. However, if cache_entries are removed, we cannot pinpoint
|
|
||||||
* an exact cache_entry that's still active. It is very possible that
|
|
||||||
* multiple dir_entries point to the same cache_entry.
|
|
||||||
*/
|
*/
|
||||||
struct dir_entry *dir;
|
struct dir_entry *dir;
|
||||||
|
|
||||||
@ -63,10 +55,10 @@ static struct dir_entry *hash_dir_entry(struct index_state *istate,
|
|||||||
dir = find_dir_entry(istate, ce->name, namelen);
|
dir = find_dir_entry(istate, ce->name, namelen);
|
||||||
if (!dir) {
|
if (!dir) {
|
||||||
/* not found, create it and add to hash table */
|
/* not found, create it and add to hash table */
|
||||||
dir = xcalloc(1, sizeof(struct dir_entry));
|
dir = xcalloc(1, sizeof(struct dir_entry) + namelen + 1);
|
||||||
hashmap_entry_init(dir, memihash(ce->name, namelen));
|
hashmap_entry_init(dir, memihash(ce->name, namelen));
|
||||||
dir->namelen = namelen;
|
dir->namelen = namelen;
|
||||||
dir->ce = ce;
|
strncpy(dir->name, ce->name, namelen);
|
||||||
hashmap_add(&istate->dir_hash, dir);
|
hashmap_add(&istate->dir_hash, dir);
|
||||||
|
|
||||||
/* recursively add missing parent directories */
|
/* recursively add missing parent directories */
|
||||||
@ -188,26 +180,36 @@ static int same_name(const struct cache_entry *ce, const char *name, int namelen
|
|||||||
return slow_same_name(name, namelen, ce->name, len);
|
return slow_same_name(name, namelen, ce->name, len);
|
||||||
}
|
}
|
||||||
|
|
||||||
struct cache_entry *index_dir_exists(struct index_state *istate, const char *name, int namelen)
|
int index_dir_exists(struct index_state *istate, const char *name, int namelen)
|
||||||
{
|
{
|
||||||
struct cache_entry *ce;
|
|
||||||
struct dir_entry *dir;
|
struct dir_entry *dir;
|
||||||
|
|
||||||
lazy_init_name_hash(istate);
|
lazy_init_name_hash(istate);
|
||||||
dir = find_dir_entry(istate, name, namelen);
|
dir = find_dir_entry(istate, name, namelen);
|
||||||
if (dir && dir->nr)
|
return dir && dir->nr;
|
||||||
return dir->ce;
|
}
|
||||||
|
|
||||||
/*
|
void adjust_dirname_case(struct index_state *istate, char *name)
|
||||||
* It might be a submodule. Unlike plain directories, which are stored
|
{
|
||||||
* in the dir-hash, submodules are stored in the name-hash, so check
|
const char *startPtr = name;
|
||||||
* there, as well.
|
const char *ptr = startPtr;
|
||||||
*/
|
|
||||||
ce = index_file_exists(istate, name, namelen, 1);
|
|
||||||
if (ce && S_ISGITLINK(ce->ce_mode))
|
|
||||||
return ce;
|
|
||||||
|
|
||||||
return NULL;
|
lazy_init_name_hash(istate);
|
||||||
|
while (*ptr) {
|
||||||
|
while (*ptr && *ptr != '/')
|
||||||
|
ptr++;
|
||||||
|
|
||||||
|
if (*ptr == '/') {
|
||||||
|
struct dir_entry *dir;
|
||||||
|
|
||||||
|
ptr++;
|
||||||
|
dir = find_dir_entry(istate, name, ptr - name + 1);
|
||||||
|
if (dir) {
|
||||||
|
memcpy((void *)startPtr, dir->name + (startPtr - name), ptr - startPtr);
|
||||||
|
startPtr = ptr;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
struct cache_entry *index_file_exists(struct index_state *istate, const char *name, int namelen, int icase)
|
struct cache_entry *index_file_exists(struct index_state *istate, const char *name, int namelen, int icase)
|
||||||
|
16
read-cache.c
16
read-cache.c
@ -661,21 +661,7 @@ int add_to_index(struct index_state *istate, const char *path, struct stat *st,
|
|||||||
* entry's directory case.
|
* entry's directory case.
|
||||||
*/
|
*/
|
||||||
if (ignore_case) {
|
if (ignore_case) {
|
||||||
const char *startPtr = ce->name;
|
adjust_dirname_case(istate, ce->name);
|
||||||
const char *ptr = startPtr;
|
|
||||||
while (*ptr) {
|
|
||||||
while (*ptr && *ptr != '/')
|
|
||||||
++ptr;
|
|
||||||
if (*ptr == '/') {
|
|
||||||
struct cache_entry *foundce;
|
|
||||||
++ptr;
|
|
||||||
foundce = index_dir_exists(istate, ce->name, ptr - ce->name - 1);
|
|
||||||
if (foundce) {
|
|
||||||
memcpy((void *)startPtr, foundce->name + (startPtr - ce->name), ptr - startPtr);
|
|
||||||
startPtr = ptr;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
alias = index_file_exists(istate, ce->name, ce_namelen(ce), ignore_case);
|
alias = index_file_exists(istate, ce->name, ce_namelen(ce), ignore_case);
|
||||||
|
Loading…
Reference in New Issue
Block a user