Archives
/
cgit
mirror of https://git.zx2c4.com/cgit/
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
926 Commits
16 Branches
43 Tags
37 MiB
C 73.3%
Shell 8.7%
Lua 7.7%
CSS 3.9%
Python 3.2%
Other 3.2%
 
 
 
 
 
 
ch/for-jason
ch/highlight-line
ch/log-commit-message
ch/dynamic-aging
ch/about-link
ch/default-pages
jd/zx2c4-deployment
master
wiki
jd/render-filter
lf/for-jason
jk/collapsible-sections
rm/namespace
lf/filter
lh/grep
lh/pretty-blob-view
v1.2.3
v1.2.2
v1.2.1
v1.2
v1.1
v1.0
v0.12
v0.11.2
v0.11.1
v0.11.0
v0.10.2
v0.10.1
v0.10
v0.9.2
v0.9.1
v0.9.0.3
v0.9.0.2
v0.9.0.1
v0.9
v0.8.3.5
v0.8.3.4
v0.8.3.3
v0.8.3.2
v0.8.3.1
v0.8.3
v0.8.2.2
v0.8.2.1
v0.8.2
v0.8.1.1
v0.8.1
v0.8
v0.7.2
v0.7.1
v0.7
v0.6.3
v0.6.2
v0.6.1
v0.6
v0.5
v0.4
v0.3
v0.2
v0.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '61d4147ea2'
${ noResults }
Go to file
Jim Meyering 61d4147ea2 do not write outside heap buffer 
* parsing.c (substr): Handle tail < head.

This started when I noticed some cgit segfaults on savannah.gnu.org.
Finding the offending URL/commit and then constructing a stand-alone
reproducer were far more time-consuming than writing the actual patch.

The problem arises with a commit like this, in which the user name
part of the "Author" field is empty:

    $ git log -1
    commit 6f3f41d73393278f3ede68a2cb1e7a2a23fa3421
    Author: <T at h.or>
    Date:   Mon Apr 23 22:29:16 2012 +0200

Here's what happens:

(this is due to buf=malloc(0); strncpy (buf, head, -1);
 where "head" may point to plenty of attacker-specified non-NUL bytes,
 so we can overwrite a zero-length heap buffer with arbitrary data)

 Invalid write of size 1
    at 0x4A09361: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
  Address 0x4c718d0 is 0 bytes after a block of size 0 alloc'd
    at 0x4A0884D: malloc (vg_replace_malloc.c:263)
    by 0x455C85: xmalloc (wrapper.c:35)
    by 0x40894C: substr (parsing.c:60)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)

 Invalid write of size 1
    at 0x4A09400: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
  Address 0x4c7192b is not stack'd, malloc'd or (recently) free'd

 Invalid write of size 1
    at 0x4A0940E: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
  Address 0x4c7192d is not stack'd, malloc'd or (recently) free'd

 Process terminating with default action of signal 11 (SIGSEGV)
  Access not within mapped region at address 0x502F000
    at 0x4A09400: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)

This happens when tail - head == -1 here:
(parsing.c)

  char *substr(const char *head, const char *tail)
  {
          char *buf;

          buf = xmalloc(tail - head + 1);
          strncpy(buf, head, tail - head);
          buf[tail - head] = '\0';
          return buf;
  }

  char *parse_user(char *t, char **name, char **email, unsigned long *date)
  {
          char *p = t;
          int mode = 1;

          while (p && *p) {
                  if (mode == 1 && *p == '<') {
                          *name = substr(t, p - 1);
                          t = p;
                          mode++;
                  } else if (mode == 1 && *p == '\n') {

The fix is to handle the case of (tail < head) before calling xmalloc,
thus avoiding passing an invalid value to xmalloc.

And here's the reproducer:
It was tricky to reproduce, because git prohibits use of an empty "name"
in a commit ID.  To construct the offending commit, I had to resort to
using "git hash-object".

git init -q foo &&
( cd foo &&
  echo a > j && git add . && git ci -q --author='au <T at h.or>' -m. . &&
  h=$(git cat-file commit HEAD|sed 's/au //' \
    |git hash-object -t commit -w --stdin) &&
  git co -q -b test $h &&
  git br -q -D master &&
  git br -q -m test master)
git clone -q --bare foo foo.git

cat <<EOF > in
repo.url=foo.git
repo.path=foo.git
EOF
CGIT_CONFIG=in QUERY_STRING=url=foo.git valgrind ./cgit

The valgrind output is what you see above.

AFAICS, this is not exploitable thanks (ironically) to the use of strncpy.
Since that -1 translates to SIZE_MAX and this is strncpy, not only does it
copy whatever is in "head" (up to first NUL), but it also writes
SIZE_MAX - strlen(head) NUL bytes into the destination buffer, and that
latter is guaranteed to evoke a segfault.  Since cgit is single-threaded,
AFAICS, there is no way that the buffer clobbering can be turned into
an exploit.
 		12 years ago
filters Merge branch 'stable' 12 years ago
git@7ed863a85a Use GIT-1.7.4 13 years ago
tests Merge branch 'stable' 12 years ago
.gitignore Fix doc-related glitches in Makefile and .gitignore 15 years ago
.gitmodules Delete submodules.sh and prepare for using git-submodule 17 years ago
COPYING Add license file and copyright notices 18 years ago
Makefile Merge branch 'stable' 12 years ago
README README: update some stale information/add some new 13 years ago
cache.c Fix some warnings to allow -Werror 16 years ago
cache.h use __attribute__ to catch printf format mistakes 14 years ago
cgit-doc.css Add cgit-doc.css 15 years ago
cgit.c Update copyright headers to have latest dates. 12 years ago
cgit.css css: only use div#cgit 12 years ago
cgit.h ui-repolist: Case insensitive sorting and age sort 12 years ago
cgit.png Use transparent background for the cgit logo 13 years ago
cgitrc.5.txt ui-repolist: Case insensitive sorting and age sort 12 years ago
cmd.c Merge branch 'lh/panel' 13 years ago
cmd.h Add is_clone flag to available commands 13 years ago
configfile.c Move function for configfile parsing into configfile.[ch] 16 years ago
configfile.h Move function for configfile parsing into configfile.[ch] 16 years ago
gen-version.sh gen-version.sh: don't sed the output from git describe 17 years ago
html.c Merge branch 'stable' 13 years ago
html.h html.c: add html_intoption() 13 years ago
parsing.c do not write outside heap buffer 12 years ago
scan-tree.c Update copyright headers to have latest dates. 12 years ago
scan-tree.h Add support for 'project-list' option 14 years ago
shared.c Merge branch 'jp/defbranch' 12 years ago
ui-atom.c Append path and branch to atom feed title 14 years ago
ui-atom.h Add atom-support 16 years ago
ui-blob.c prefer html_raw() to write() 14 years ago
ui-blob.h Support refspecs in about-filter. 14 years ago
ui-clone.c Supply status description to html_status() 16 years ago
ui-clone.h Add support for cloning over http 16 years ago
ui-commit.c cgit.c: always setup cgit repo environment variables 13 years ago
ui-commit.h ui-commit: Limit diff based on path limit in qry.path 14 years ago
ui-diff.c ui-ssdiff.c: set correct diffmode in "control panel" 13 years ago
ui-diff.h ui-diff.c: create a control panel for diff options 13 years ago
ui-log.c Merge branch 'stable' 13 years ago
ui-log.h ui-log: Line-wrap long commit subjects when showmsg is enabled 14 years ago
ui-patch.c Add URL parameter 'ignorews' for optionally ignoring whitespace in diffs 14 years ago
ui-patch.h ui-patch: Apply path limit to generated patch 14 years ago
ui-plain.c Merge branch 'fh/mimetypes' 12 years ago
ui-plain.h Implement plain view 16 years ago
ui-refs.c Merge branch 'stable' 14 years ago
ui-refs.h Add separate header-files for each page/view 16 years ago
ui-repolist.c Update copyright headers to have latest dates. 12 years ago
ui-repolist.h Prepare for 'about site' page / add 'root-readme' option to cgitrc 16 years ago
ui-shared.c Merge branch 'lh/module-links' 12 years ago
ui-shared.h Merge branch 'lh/module-links' 12 years ago
ui-snapshot.c ui-snapshot: pass -n to gzip, to suppress timestamp 12 years ago
ui-snapshot.h Set prefix in snapshots when using dwimmery 16 years ago
ui-ssdiff.c use correct type for sizeof 12 years ago
ui-ssdiff.h ui-ssdiff: move LCS table away from the stack 13 years ago
ui-stats.c ui-stats.c: fix invalid html 13 years ago
ui-stats.h Add and use cgit_find_stats_periodname() in print_repo() 15 years ago
ui-summary.c cgit.c: add 'clone-url' setting with support for macro expansion 13 years ago
ui-summary.h ui-summary: enable arbitrary paths below repo.readme 15 years ago
ui-tag.c ui-tag: make output more similar to commit view 15 years ago
ui-tag.h Add separate header-files for each page/view 16 years ago
ui-tree.c ui-tree.c: add support for path-selected submodule links 13 years ago
ui-tree.h Add separate header-files for each page/view 16 years ago
vector.c Add vector utility functions 14 years ago
vector.h Add vector utility functions 14 years ago

README 

                       cgit - cgi for git


This is an attempt to create a fast web interface for the git scm, using a
builtin cache to decrease server io-pressure.


Installation

Building cgit involves building a proper version of git. How to do this
depends on how you obtained the cgit sources:

a) If you're working in a cloned cgit repository, you first need to
initialize and update the git submodule:

  $ git submodule init     # register the git submodule in .git/config
  $ $EDITOR .git/config    # if you want to specify a different url for git
  $ git submodule update   # clone/fetch and checkout correct git version

b) If you're building from a cgit tarball, you can download a proper git
version like this:

  $ make get-git


When either a) or b) has been performed, you can build and install cgit like
this:

  $ make
  $ sudo make install

This will install cgit.cgi and cgit.css into "/var/www/htdocs/cgit". You can
configure this location (and a few other things) by providing a "cgit.conf"
file (see the Makefile for details).


Dependencies:
  -git 1.7.4
  -zip lib
  -crypto lib
  -openssl lib


Apache configuration

A new Directory-section must probably be added for cgit, possibly something
like this:

  <Directory "/var/www/htdocs/cgit/">
      AllowOverride None
      Options +ExecCGI
      Order allow,deny
      Allow from all
  </Directory>


Runtime configuration

The file /etc/cgitrc is read by cgit before handling a request. In addition
to runtime parameters, this file may also contain a list of repositories
displayed by cgit (see cgitrc.5.txt for further details).


The cache

When cgit is invoked it looks for a cachefile matching the request and
returns it to the client. If no such cachefile exist (or if it has expired),
the content for the request is written into the proper cachefile before the
file is returned.

If the cachefile has expired but cgit is unable to obtain a lock for it, the
stale cachefile is returned to the client. This is done to favour page
throughput over page freshness.

The generated content contains the complete response to the client, including
the http-headers "Modified" and "Expires".


Online presence

* The cgit homepage is hosted by cgit at http://hjemli.net/git/cgit/about

* Patches, bugreports, discussions and support should go to the cgit
  mailing list: cgit@hjemli.net