[0/3] double-free with git fetch --prefetch

Message ID	20241112083204.GA2636868@coredump.intra.peff.net (mailing list archive)
Headers	show Received: from cloud.peff.net (cloud.peff.net [104.130.231.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 18ED4154456 for <git@vger.kernel.org>; Tue, 12 Nov 2024 08:32:05 +0000 (UTC) Date: Tue, 12 Nov 2024 03:32:04 -0500 From: Jeff King <peff@peff.net> To: Eric Mills <ermills@epic.com> Cc: "git@vger.kernel.org" <git@vger.kernel.org> Subject: [PATCH 0/3] double-free with git fetch --prefetch Message-ID: <20241112083204.GA2636868@coredump.intra.peff.net> References: <SA1PR17MB6501281EF202EA694CF9DC03CA582@SA1PR17MB6501.namprd17.prod.outlook.com> <20241112064951.GA619985@coredump.intra.peff.net> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20241112064951.GA619985@coredump.intra.peff.net>
Series	double-free with git fetch --prefetch \| expand [0/3] double-free with git fetch --prefetch [1/3] fetch: adjust refspec->raw_nr when filtering prefetch refspecs [2/3] refspec: drop separate raw_nr count [3/3] refspec: store raw refspecs inside refspec_item

Message ID

20241112083204.GA2636868@coredump.intra.peff.net (mailing list archive)

Headers

Date: Tue, 12 Nov 2024 03:32:04 -0500
From: Jeff King <peff@peff.net>
To: Eric Mills <ermills@epic.com>
Cc: "git@vger.kernel.org" <git@vger.kernel.org>
Subject: [PATCH 0/3] double-free with git fetch --prefetch
Message-ID: <20241112083204.GA2636868@coredump.intra.peff.net>
References: 
 <SA1PR17MB6501281EF202EA694CF9DC03CA582@SA1PR17MB6501.namprd17.prod.outlook.com>
 <20241112064951.GA619985@coredump.intra.peff.net>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20241112064951.GA619985@coredump.intra.peff.net>

Series

double-free with git fetch --prefetch | expand

Message

Jeff King Nov. 12, 2024, 8:32 a.m. UTC

On Tue, Nov 12, 2024 at 01:49:51AM -0500, Jeff King wrote:

> Bisecting on:
> 
>   make SANITIZE=address &&
>   bin-wrappers/git fetch --prefetch origin master
> 
> turns up my ea4780307c (fetch: free "raw" string when shrinking refspec,
> 2024-09-24). I'll see if I can figure out what's going on.

OK, it turns out to be a fairly simple bug. The hardest part was
figuring out why it was not triggering all the time already in the test
suite. ;)

Patch 1 is the minimal fix. It is sort-of a regression in v2.47, in that
it became easier to trigger the bug; but it existed before then. Either
way, it seems like material for the "maint" branch.

The other two patches are cleanups that I contemplated when doing
ea4780307c. Now that this code has caused _two_ bugs which would have
been impossible with the cleanups, I figured it was worth taking a stab
at it.

Thanks for a clear report.

  [1/3]: fetch: adjust refspec->raw_nr when filtering prefetch refspecs
  [2/3]: refspec: drop separate raw_nr count
  [3/3]: refspec: store raw refspecs inside refspec_item

 builtin/fetch.c                   |  8 ++------
 builtin/remote.c                  | 16 ++++++++--------
 refspec.c                         | 26 ++++++++++----------------
 refspec.h                         |  6 ++----
 submodule.c                       |  8 ++++----
 t/t5582-fetch-negative-refspec.sh |  4 ++++
 6 files changed, 30 insertions(+), 38 deletions(-)

-Peff