Re: git 1.9.0 segfault

[brian m. carlson]

On Sat, Mar 08, 2014 at 04:23:43PM +, Guillaume Gelin wrote:
 Hi,

 http://pastebin.com/Np7L54ar

I can confirm this.  I get the following backtrace:

  Core was generated by `/home/bmc/checkouts/git/git mv packages/ lisp'.
  Program terminated with signal 11, Segmentation fault.
  #0  0x7fe31a4371b2 in _IO_vfprintf_internal (s=s@entry=0x7fffa330d2e0, 
format=optimized out, format@entry=0x7fffa330e5b0 renaming '%s' failed: Bad 
address, ap=ap@entry=0x7fffa330e498)
  at vfprintf.c:1649
  1649  vfprintf.c: No such file or directory.
  (gdb) bt
  #0  0x7fe31a4371b2 in _IO_vfprintf_internal (s=s@entry=0x7fffa330d2e0, 
format=optimized out, format@entry=0x7fffa330e5b0 renaming '%s' failed: Bad 
address, ap=ap@entry=0x7fffa330e498)
  at vfprintf.c:1649
  #1  0x7fe31a4e2315 in ___vsnprintf_chk (s=s@entry=0x7fffa330d450 
renaming '0\243\377\177, maxlen=optimized out, maxlen@entry=4096, 
flags=flags@entry=1, slen=slen@entry=4096,
  format=0x7fffa330e5b0 renaming '%s' failed: Bad address, 
format@entry=0x544fe5 fatal: , args=0x7fffa330e498) at vsnprintf_chk.c:63
  #2  0x005041cb in vsnprintf (__ap=optimized out, __fmt=0x544fe5 
fatal: , __n=4096, __s=0x7fffa330d450 renaming '0\243\377\177) at 
/usr/include/x86_64-linux-gnu/bits/stdio2.h:77
  #3  vreportf (prefix=prefix@entry=0x544fe5 fatal: , err=optimized out, 
params=optimized out) at usage.c:12
  #4  0x00504224 in die_builtin (err=optimized out, params=optimized 
out) at usage.c:36
  #5  0x00504650 in die_errno (fmt=0x52be9a renaming '%s' failed) at 
usage.c:137
  #6  0x0044cb4d in cmd_mv (argc=optimized out, argv=optimized out, 
prefix=optimized out) at builtin/mv.c:246
  #7  0x0040602d in run_builtin (argv=0x7fffa330ef90, argc=3, 
p=0x779d40 commands+1536) at git.c:314
  #8  handle_builtin (argc=3, argv=0x7fffa330ef90) at git.c:487
  #9  0x004052e1 in run_argv (argv=0x7fffa330ee48, 
argcp=0x7fffa330ee2c) at git.c:533
  #10 main (argc=3, av=optimized out) at git.c:616

We're failing to rename because we got an EFAULT, and then we try to
print the failing filename, and we get a segfault right here:

if (rename(src, dst)  0  !ignore_errors)
die_errno (_(renaming '%s' failed), src);

I don't know yet if dst is also bad, but clearly src is.  I'm looking
into it.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187


signature.asc
Description: Digital signature

Re: git 1.9.0 segfault

[John Keeping]

On Sat, Mar 08, 2014 at 04:46:51PM +, brian m. carlson wrote:
 On Sat, Mar 08, 2014 at 04:23:43PM +, Guillaume Gelin wrote:
  Hi,
 
  http://pastebin.com/Np7L54ar
 We're failing to rename because we got an EFAULT, and then we try to
 print the failing filename, and we get a segfault right here:
 
   if (rename(src, dst)  0  !ignore_errors)
   die_errno (_(renaming '%s' failed), src);
 
 I don't know yet if dst is also bad, but clearly src is.  I'm looking
 into it.

The problem seems to be that we change argc when we append nested
directories to the list and then continue looping over 'source' which
has been realloc'd to be larger.  But we do not realloc
submodule_gitfile at the same time so we start writing beyond the end of
the submodule_gitfile array.

The particular behaviour of glibc's malloc happens to mean (at least on
my system) that this starts overwriting 'src'.

This fixes it for me:

-- 8 --
diff --git a/builtin/mv.c b/builtin/mv.c
index 7e26eb5..23f119a 100644
--- a/builtin/mv.c
+++ b/builtin/mv.c
@@ -180,6 +180,9 @@ int cmd_mv(int argc, const char **argv, const char *prefix)
modes = xrealloc(modes,
(argc + last - 
first)
* sizeof(enum 
update_mode));
+   submodule_gitfile = 
xrealloc(submodule_gitfile,
+   (argc + last - 
first)
+   * sizeof(char 
*));
}
 
dst = add_slash(dst);
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html