subject:"Re\: \[PATCH v5 4\/5\] merge\/pull Check for untrusted good GPG signatures"

Re: [PATCH v5 4/5] merge/pull Check for untrusted good GPG signatures

2013-03-31 Thread Thomas Rast

Sebastian Götte ja...@physik.tu-berlin.de writes:

 When --verify-signatures is specified, abort the merge in case a good
 GPG signature from an untrusted key is encountered.
[...]
 +test_expect_success GPG 'merge  commit with untrusted signature with 
 verification' '
  ^
  `.
Nit: you have a pointless(?) double space here-´

 + test_must_fail git merge --ff-only --verify-signatures side-untrusted 
 2mergeerror 
 + test_i18ngrep from an untrusted key mergeerror
 +'

This test gives me the following:

==26527== Conditional jump or move depends on uninitialised value(s)
==26527==at 0x4C2D8BC: strchrnul (mc_replace_strmem.c:1084)
==26527==by 0x4989CC: parse_signature_lines (commit.c:1074)
==26527==by 0x498B33: check_commit_signature (commit.c:1100)
==26527==by 0x453719: cmd_merge (merge.c:1246)
==26527==by 0x4057B6: run_builtin (git.c:282)
==26527==by 0x405949: handle_internal_command (git.c:444)
==26527==by 0x405A63: run_argv (git.c:490)
==26527==by 0x405BF2: main (git.c:565)

though I currently cannot see what's wrong, probably because I don't
know the format that parse_signature_lines gives.  Can you look into it?

-- 
Thomas Rast
trast@{inf,student}.ethz.ch
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v5 4/5] merge/pull Check for untrusted good GPG signatures

2013-03-31 Thread Sebastian Götte

On 03/31/2013 10:32 AM, Thomas Rast wrote:
 Sebastian Götte ja...@physik.tu-berlin.de writes:
 
 When --verify-signatures is specified, abort the merge in case a good
 GPG signature from an untrusted key is encountered.
 [...]
 +test_expect_success GPG 'merge  commit with untrusted signature with 
 verification' '
   ^
   `.
 Nit: you have a pointless(?) double space here-´
Will fix that in the next revision ;)

 +test_must_fail git merge --ff-only --verify-signatures side-untrusted 
 2mergeerror 
 +test_i18ngrep from an untrusted key mergeerror
 +'
 
 This test gives me the following:
 
 ==26527== Conditional jump or move depends on uninitialised value(s)
 ==26527==at 0x4C2D8BC: strchrnul (mc_replace_strmem.c:1084)
 ==26527==by 0x4989CC: parse_signature_lines (commit.c:1074)
 ==26527==by 0x498B33: check_commit_signature (commit.c:1100)
 ==26527==by 0x453719: cmd_merge (merge.c:1246)
 ==26527==by 0x4057B6: run_builtin (git.c:282)
 ==26527==by 0x405949: handle_internal_command (git.c:444)
 ==26527==by 0x405A63: run_argv (git.c:490)
 ==26527==by 0x405BF2: main (git.c:565)
 
 though I currently cannot see what's wrong, probably because I don't
 know the format that parse_signature_lines gives.  Can you look into it?
Against what version/combination of the patches are you running the test?
parse_signature_lines is called parse_gpg_output in v5.  Perhaps just try again
with v6 of the patch, the difference between v5 and v6 is parse_gpg_output
(Junio did not like the v5 variant).

Thanks
Sebastian 
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v5 4/5] merge/pull Check for untrusted good GPG signatures

2013-03-31 Thread Thomas Rast

Sebastian Götte ja...@physik.tu-berlin.de wrote:

On 03/31/2013 10:32 AM, Thomas Rast wrote:
 +   test_must_fail git merge --ff-only --verify-signatures
side-untrusted 2mergeerror 
 +   test_i18ngrep from an untrusted key mergeerror
 +'
 
 This test gives me the following:
 
 ==26527== Conditional jump or move depends on uninitialised value(s)
 ==26527==at 0x4C2D8BC: strchrnul (mc_replace_strmem.c:1084)
 ==26527==by 0x4989CC: parse_signature_lines (commit.c:1074)
 ==26527==by 0x498B33: check_commit_signature (commit.c:1100)
 ==26527==by 0x453719: cmd_merge (merge.c:1246)
 ==26527==by 0x4057B6: run_builtin (git.c:282)
 ==26527==by 0x405949: handle_internal_command (git.c:444)
 ==26527==by 0x405A63: run_argv (git.c:490)
 ==26527==by 0x405BF2: main (git.c:565)
 
 though I currently cannot see what's wrong, probably because I don't
 know the format that parse_signature_lines gives.  Can you look into
it?
Against what version/combination of the patches are you running the
test?
parse_signature_lines is called parse_gpg_output in v5.  Perhaps just
try again
with v6 of the patch, the difference between v5 and v6 is
parse_gpg_output
(Junio did not like the v5 variant).

Oh, my bad then. I used the version in pu. I just ran all tests under valgrind 
and this cropped up.

If you have valgrind installed locally, you can also test yourself ;-) just 
pass --valgrind to the test script.

-- 
http://code.google.com/p/k9mail
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v5 4/5] merge/pull Check for untrusted good GPG signatures

2013-03-31 Thread Sebastian Götte

On 03/31/2013 01:38 PM, Thomas Rast wrote:
 Sebastian Götte ja...@physik.tu-berlin.de wrote:
 
 On 03/31/2013 10:32 AM, Thomas Rast wrote:
 +  test_must_fail git merge --ff-only --verify-signatures
 side-untrusted 2mergeerror 
 +  test_i18ngrep from an untrusted key mergeerror
 +'

 This test gives me the following:

 ==26527== Conditional jump or move depends on uninitialised value(s)
 ==26527==at 0x4C2D8BC: strchrnul (mc_replace_strmem.c:1084)
 ==26527==by 0x4989CC: parse_signature_lines (commit.c:1074)
 ==26527==by 0x498B33: check_commit_signature (commit.c:1100)
 ==26527==by 0x453719: cmd_merge (merge.c:1246)
 ==26527==by 0x4057B6: run_builtin (git.c:282)
 ==26527==by 0x405949: handle_internal_command (git.c:444)
 ==26527==by 0x405A63: run_argv (git.c:490)
 ==26527==by 0x405BF2: main (git.c:565)
 [...]
 
 If you have valgrind installed locally, you can also test yourself ;-) just 
 pass --valgrind to the test script.
Ok, I can reproduce this with v6 of the patch:

expecting success: 
test_must_fail git merge --ff-only --verify-signatures side-untrusted 
2mergeerror 
test_i18ngrep has a good, untrusted GPG signature mergeerror

==1430== Conditional jump or move depends on uninitialised value(s)
==1430==at 0x4C26B5C: strchrnul (mc_replace_strmem.c:711)
==1430==by 0x47B90B: check_commit_signature (commit.c:1057)
==1430==by 0x444212: cmd_merge (merge.c:1245)
==1430==by 0x4050E6: handle_internal_command (git.c:281)
==1430==by 0x40530C: main (git.c:489)

Though I also can't see the problem. strchrnul gets passed a char* that is just 
fine.

--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v5 4/5] merge/pull Check for untrusted good GPG signatures

2013-03-31 Thread Thomas Rast

Sebastian Götte ja...@physik.tu-berlin.de wrote:

expecting success: 
test_must_fail git merge --ff-only --verify-signatures side-untrusted
2mergeerror 
test_i18ngrep has a good, untrusted GPG signature mergeerror

==1430== Conditional jump or move depends on uninitialised value(s)
==1430==at 0x4C26B5C: strchrnul (mc_replace_strmem.c:711)
==1430==by 0x47B90B: check_commit_signature (commit.c:1057)
==1430==by 0x444212: cmd_merge (merge.c:1245)
==1430==by 0x4050E6: handle_internal_command (git.c:281)
==1430==by 0x40530C: main (git.c:489)

Though I also can't see the problem. strchrnul gets passed a char* that
is just fine.

Usually that means that the string *contents* are uninitialized, usually 
because you scanned past the end of the string...
-- 
http://code.google.com/p/k9mail
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v5 4/5] merge/pull Check for untrusted good GPG signatures

2013-03-31 Thread Sebastian Götte

On 03/31/2013 02:16 PM, Thomas Rast wrote:
 Sebastian Götte ja...@physik.tu-berlin.de wrote:
 
 expecting success: 
 test_must_fail git merge --ff-only --verify-signatures side-untrusted
 2mergeerror 
test_i18ngrep has a good, untrusted GPG signature mergeerror

 ==1430== Conditional jump or move depends on uninitialised value(s)
 ==1430==at 0x4C26B5C: strchrnul (mc_replace_strmem.c:711)
 ==1430==by 0x47B90B: check_commit_signature (commit.c:1057)
 ==1430==by 0x444212: cmd_merge (merge.c:1245)
 ==1430==by 0x4050E6: handle_internal_command (git.c:281)
 ==1430==by 0x40530C: main (git.c:489)

 Though I also can't see the problem. strchrnul gets passed a char* that
 is just fine.
 
 Usually that means that the string *contents* are uninitialized, usually 
 because you scanned past the end of the string...
I checked for that, everything looks fine to me. The pointer should point to a 
valid, 0-terminated string.
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v5 4/5] merge/pull Check for untrusted good GPG signatures

2013-03-31 Thread John Keeping

On Sun, Mar 31, 2013 at 02:27:20PM +0200, Sebastian Götte wrote:
 On 03/31/2013 02:16 PM, Thomas Rast wrote:
  Sebastian Götte ja...@physik.tu-berlin.de wrote:
  
  expecting success: 
  test_must_fail git merge --ff-only --verify-signatures side-untrusted
  2mergeerror 
 test_i18ngrep has a good, untrusted GPG signature mergeerror
 
  ==1430== Conditional jump or move depends on uninitialised value(s)
  ==1430==at 0x4C26B5C: strchrnul (mc_replace_strmem.c:711)
  ==1430==by 0x47B90B: check_commit_signature (commit.c:1057)
  ==1430==by 0x444212: cmd_merge (merge.c:1245)
  ==1430==by 0x4050E6: handle_internal_command (git.c:281)
  ==1430==by 0x40530C: main (git.c:489)
 
  Though I also can't see the problem. strchrnul gets passed a char* that
  is just fine.
  
  Usually that means that the string *contents* are uninitialized,
  usually because you scanned past the end of the string...

 I checked for that, everything looks fine to me. The pointer should point to 
 a valid, 0-terminated string.

It looks like the found pointer has wandered off the end of the
string.  In the test case here, the gpg_status is:

-- 8 --
[GNUPG:] SIG_ID rzX3GbdzQyxB4Jdm1uD0CzL4B4Y 2013-03-31 1364735152
[GNUPG:] GOODSIG 61092E85B7227189 Eris Discordia disc...@example.net
[GNUPG:] VALIDSIG D4BE22311AD3131E5EDA29A461092E85B7227189 2013-03-31
1364735152 0 4 0 1 2 00 D4BE22311AD3131E5EDA29A461092E85B7227189
[GNUPG:] TRUST_UNDEFINED
-- 8 --

But the parse_signature_lines code assumes that after reading a
signature it can fill in the key from the next 16 bytes and then look
for a newline after that.  In this case it clearly needs to only read
the signature if it's a GOODSIG or BADSIG line.

Wrapping a signature_check[i].result != 'U' condition around the lines
that extract the key and advance the found pointer after doing so
fixes this for me.


John
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v5 4/5] merge/pull Check for untrusted good GPG signatures

Re: [PATCH v5 4/5] merge/pull Check for untrusted good GPG signatures

Re: [PATCH v5 4/5] merge/pull Check for untrusted good GPG signatures

Re: [PATCH v5 4/5] merge/pull Check for untrusted good GPG signatures

Re: [PATCH v5 4/5] merge/pull Check for untrusted good GPG signatures

Re: [PATCH v5 4/5] merge/pull Check for untrusted good GPG signatures

Re: [PATCH v5 4/5] merge/pull Check for untrusted good GPG signatures

7 matches

Site Navigation

Mail list logo

Footer information