[10/22] send-pack: fix leaking push cert nonce

Message ID	138a5ded35a43d3aeaa5058ba316a45b7b50b9ef.1724656120.git.ps@pks.im (mailing list archive)
State	Superseded
Headers	show Received: from fhigh6-smtp.messagingengine.com (fhigh6-smtp.messagingengine.com [103.168.172.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8B6DD12DD90 for <git@vger.kernel.org>; Mon, 26 Aug 2024 07:22:07 +0000 (UTC) Feedback-ID: i197146af:Fastmail Date: Mon, 26 Aug 2024 09:22:04 +0200 From: Patrick Steinhardt <ps@pks.im> To: git@vger.kernel.org Subject: [PATCH 10/22] send-pack: fix leaking push cert nonce Message-ID: <138a5ded35a43d3aeaa5058ba316a45b7b50b9ef.1724656120.git.ps@pks.im> References: <cover.1724656120.git.ps@pks.im> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <cover.1724656120.git.ps@pks.im>
Series	Memory leak fixes (pt.6) \| expand [00/22] Memory leak fixes (pt.6) [01/22] t/test-lib: allow skipping leak checks for passing tests [02/22] fetch-pack: fix memory leaks on fetch negotiation [03/22] send-pack: fix leaking common object IDs [04/22] builtin/push: fix leaking refspec query result [05/22] upload-pack: fix leaking child process data on reachability checks [06/22] submodule: fix leaking fetch task data [07/22] builtin/submodule--helper: fix leaking refs on push-check [08/22] remote: fix leaking tracking refs [09/22] remote: fix leak in reachability check of a remote-tracking ref [10/22] send-pack: fix leaking push cert nonce [11/22] gpg-interface: fix misdesigned signing key interfaces [12/22] object: clear grafts when clearing parsed object pool [13/22] shallow: free grafts when unregistering them [14/22] shallow: fix leaking members of `struct shallow_info` [15/22] negotiator/skipping: fix leaking commit entries [16/22] builtin/repack: fix leaking line buffer when packing promisors [17/22] builtin/pack-objects: plug leaking list of keep-packs [18/22] builtin/grep: fix leaking object context [19/22] builtin/fmt-merge-msg: fix leaking buffers [20/22] match-trees: fix leaking prefixes in `shift_tree()` [21/22] merge-ort: fix two leaks when handling directory rename modifications [22/22] builtin/repack: fix leaking keep-pack list

Message ID

138a5ded35a43d3aeaa5058ba316a45b7b50b9ef.1724656120.git.ps@pks.im (mailing list archive)

State

Superseded

Headers

Feedback-ID: i197146af:Fastmail
Date: Mon, 26 Aug 2024 09:22:04 +0200
From: Patrick Steinhardt <ps@pks.im>
To: git@vger.kernel.org
Subject: [PATCH 10/22] send-pack: fix leaking push cert nonce
Message-ID: 
 <138a5ded35a43d3aeaa5058ba316a45b7b50b9ef.1724656120.git.ps@pks.im>
References: <cover.1724656120.git.ps@pks.im>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <cover.1724656120.git.ps@pks.im>

Series

Memory leak fixes (pt.6) | expand

Commit Message

Patrick Steinhardt Aug. 26, 2024, 7:22 a.m. UTC

When retrieving the push cert nonce from the server, we first store the
constant returned by `server_feature_value()` and then, if the nonce is
valid, we duplicate the nonce memory to extend its lifetime. We never
free the latter and thus cause a memory leak.

Fix this by storing the limited-lifetime nonce into a scope-local
variable such that the long-lived, allocated nonce can be easily freed
without having to cast away its constness.

This leak was exposed by t5534, but fixing it is not sufficient to make
the whole test suite leak free.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
---
 send-pack.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

Comments

Junio C Hamano Sept. 4, 2024, 10:08 p.m. UTC | #1

Patrick Steinhardt <ps@pks.im> writes:

> When retrieving the push cert nonce from the server, we first store the
> constant returned by `server_feature_value()` and then, if the nonce is
> valid, we duplicate the nonce memory to extend its lifetime. We never
> free the latter and thus cause a memory leak.

"to extend its lifetime" -> "to a NUL-terminated string, so that we
can pass it to generate_push_cert()".

What is going on in this code path is this.

The other side may send a nonce in the server capability.  We die if
that nonce is bogus.  Otherwise we make a xmemdupz() copy because we
need to pass the nonce to generate_push_cert() that expects nonce to
be a NUL terminated string (the original server capability is a long
concatenation of capabilities and we learn the <ptr, len> for the
nonce).  The function cryptographically signs the ref update request
we have, together with the nonce we got from the server, so that the
other side can validate that it is signed by us, and the nonce serves
as a protection against replay attacks.

> diff --git a/send-pack.c b/send-pack.c
> index b224ef9fc5e..c37f6ab3c07 100644
> --- a/send-pack.c
> +++ b/send-pack.c
> @@ -501,7 +501,7 @@ int send_pack(struct send_pack_args *args,
>  	unsigned cmds_sent = 0;
>  	int ret;
>  	struct async demux;
> -	const char *push_cert_nonce = NULL;
> +	char *push_cert_nonce = NULL;
>  	struct packet_reader reader;
>  	int use_bitmaps;

This is a change necessary to avoid having to cast the parameter to
free().

> @@ -550,10 +550,11 @@ int send_pack(struct send_pack_args *args,
>  
>  	if (args->push_cert != SEND_PACK_PUSH_CERT_NEVER) {
>  		size_t len;
> -		push_cert_nonce = server_feature_value("push-cert", &len);
> -		if (push_cert_nonce) {
> -			reject_invalid_nonce(push_cert_nonce, len);
> -			push_cert_nonce = xmemdupz(push_cert_nonce, len);
> +		const char *nonce = server_feature_value("push-cert", &len);
> +
> +		if (nonce) {
> +			reject_invalid_nonce(nonce, len);
> +			push_cert_nonce = xmemdupz(nonce, len);

And this hunk become needed because push_cert_nonce cannot receive
the return value from server_feature_value() without stripping
constness.

>  		} else if (args->push_cert == SEND_PACK_PUSH_CERT_ALWAYS) {
>  			die(_("the receiving end does not support --signed push"));
>  		} else if (args->push_cert == SEND_PACK_PUSH_CERT_IF_ASKED) {
> @@ -771,5 +772,6 @@ int send_pack(struct send_pack_args *args,
>  	oid_array_clear(&commons);
>  	strbuf_release(&req_buf);
>  	strbuf_release(&cap_buf);
> +	free(push_cert_nonce);

And this is my fault to forget freeing.  Thanks for spotting and fixing.

>  	return ret;
>  }

diff --git a/send-pack.c b/send-pack.c
index b224ef9fc5e..c37f6ab3c07 100644
--- a/send-pack.c
+++ b/send-pack.c
@@ -501,7 +501,7 @@  int send_pack(struct send_pack_args *args,
 	unsigned cmds_sent = 0;
 	int ret;
 	struct async demux;
-	const char *push_cert_nonce = NULL;
+	char *push_cert_nonce = NULL;
 	struct packet_reader reader;
 	int use_bitmaps;
 
@@ -550,10 +550,11 @@  int send_pack(struct send_pack_args *args,
 
 	if (args->push_cert != SEND_PACK_PUSH_CERT_NEVER) {
 		size_t len;
-		push_cert_nonce = server_feature_value("push-cert", &len);
-		if (push_cert_nonce) {
-			reject_invalid_nonce(push_cert_nonce, len);
-			push_cert_nonce = xmemdupz(push_cert_nonce, len);
+		const char *nonce = server_feature_value("push-cert", &len);
+
+		if (nonce) {
+			reject_invalid_nonce(nonce, len);
+			push_cert_nonce = xmemdupz(nonce, len);
 		} else if (args->push_cert == SEND_PACK_PUSH_CERT_ALWAYS) {
 			die(_("the receiving end does not support --signed push"));
 		} else if (args->push_cert == SEND_PACK_PUSH_CERT_IF_ASKED) {
@@ -771,5 +772,6 @@  int send_pack(struct send_pack_args *args,
 	oid_array_clear(&commons);
 	strbuf_release(&req_buf);
 	strbuf_release(&cap_buf);
+	free(push_cert_nonce);
 	return ret;
 }

[10/22] send-pack: fix leaking push cert nonce

Commit Message

Comments

Patch