cgit with patches for sandboxing using qssb
Go to file
Jim Meyering 61d4147ea2 do not write outside heap buffer
* parsing.c (substr): Handle tail < head.

This started when I noticed some cgit segfaults on savannah.gnu.org.
Finding the offending URL/commit and then constructing a stand-alone
reproducer were far more time-consuming than writing the actual patch.

The problem arises with a commit like this, in which the user name
part of the "Author" field is empty:

    $ git log -1
    commit 6f3f41d73393278f3ede68a2cb1e7a2a23fa3421
    Author: <T at h.or>
    Date:   Mon Apr 23 22:29:16 2012 +0200

Here's what happens:

(this is due to buf=malloc(0); strncpy (buf, head, -1);
 where "head" may point to plenty of attacker-specified non-NUL bytes,
 so we can overwrite a zero-length heap buffer with arbitrary data)

 Invalid write of size 1
    at 0x4A09361: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
  Address 0x4c718d0 is 0 bytes after a block of size 0 alloc'd
    at 0x4A0884D: malloc (vg_replace_malloc.c:263)
    by 0x455C85: xmalloc (wrapper.c:35)
    by 0x40894C: substr (parsing.c:60)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)

 Invalid write of size 1
    at 0x4A09400: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
  Address 0x4c7192b is not stack'd, malloc'd or (recently) free'd

 Invalid write of size 1
    at 0x4A0940E: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
  Address 0x4c7192d is not stack'd, malloc'd or (recently) free'd

 Process terminating with default action of signal 11 (SIGSEGV)
  Access not within mapped region at address 0x502F000
    at 0x4A09400: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)

This happens when tail - head == -1 here:
(parsing.c)

  char *substr(const char *head, const char *tail)
  {
          char *buf;

          buf = xmalloc(tail - head + 1);
          strncpy(buf, head, tail - head);
          buf[tail - head] = '\0';
          return buf;
  }

  char *parse_user(char *t, char **name, char **email, unsigned long *date)
  {
          char *p = t;
          int mode = 1;

          while (p && *p) {
                  if (mode == 1 && *p == '<') {
                          *name = substr(t, p - 1);
                          t = p;
                          mode++;
                  } else if (mode == 1 && *p == '\n') {

The fix is to handle the case of (tail < head) before calling xmalloc,
thus avoiding passing an invalid value to xmalloc.

And here's the reproducer:
It was tricky to reproduce, because git prohibits use of an empty "name"
in a commit ID.  To construct the offending commit, I had to resort to
using "git hash-object".

git init -q foo &&
( cd foo &&
  echo a > j && git add . && git ci -q --author='au <T at h.or>' -m. . &&
  h=$(git cat-file commit HEAD|sed 's/au //' \
    |git hash-object -t commit -w --stdin) &&
  git co -q -b test $h &&
  git br -q -D master &&
  git br -q -m test master)
git clone -q --bare foo foo.git

cat <<EOF > in
repo.url=foo.git
repo.path=foo.git
EOF
CGIT_CONFIG=in QUERY_STRING=url=foo.git valgrind ./cgit

The valgrind output is what you see above.

AFAICS, this is not exploitable thanks (ironically) to the use of strncpy.
Since that -1 translates to SIZE_MAX and this is strncpy, not only does it
copy whatever is in "head" (up to first NUL), but it also writes
SIZE_MAX - strlen(head) NUL bytes into the destination buffer, and that
latter is guaranteed to evoke a segfault.  Since cgit is single-threaded,
AFAICS, there is no way that the buffer clobbering can be turned into
an exploit.
2012-10-02 04:03:47 +02:00
filters Merge branch 'stable' 2012-03-18 20:23:30 +00:00
git@7ed863a85a Use GIT-1.7.4 2011-02-19 13:55:43 +01:00
tests Merge branch 'stable' 2012-03-18 20:23:30 +00:00
.gitignore Fix doc-related glitches in Makefile and .gitignore 2009-03-15 09:27:54 +01:00
.gitmodules Delete submodules.sh and prepare for using git-submodule 2007-09-03 22:54:51 +02:00
cache.c Fix some warnings to allow -Werror 2008-11-06 19:18:07 +01:00
cache.h use __attribute__ to catch printf format mistakes 2010-09-04 11:11:40 -04:00
cgit-doc.css Add cgit-doc.css 2009-02-12 10:24:25 +01:00
cgit.c Update copyright headers to have latest dates. 2012-07-12 20:01:46 +02:00
cgit.css css: only use div#cgit 2012-03-20 07:00:20 +00:00
cgit.h ui-repolist: Case insensitive sorting and age sort 2012-07-12 20:01:46 +02:00
cgit.png Use transparent background for the cgit logo 2011-02-19 14:41:39 +01:00
cgitrc.5.txt ui-repolist: Case insensitive sorting and age sort 2012-07-12 20:01:46 +02:00
cmd.c Merge branch 'lh/panel' 2011-05-23 23:29:24 +02:00
cmd.h Add is_clone flag to available commands 2011-02-19 14:57:48 +01:00
configfile.c Move function for configfile parsing into configfile.[ch] 2008-03-28 00:09:11 +01:00
configfile.h Move function for configfile parsing into configfile.[ch] 2008-03-28 00:09:11 +01:00
COPYING Add license file and copyright notices 2006-12-10 22:41:14 +01:00
gen-version.sh gen-version.sh: don't sed the output from git describe 2007-10-01 12:09:41 +02:00
html.c Merge branch 'stable' 2011-07-21 14:27:03 +00:00
html.h html.c: add html_intoption() 2011-03-06 23:57:26 +01:00
Makefile Merge branch 'stable' 2012-03-18 10:19:59 +00:00
parsing.c do not write outside heap buffer 2012-10-02 04:03:47 +02:00
README README: update some stale information/add some new 2011-06-13 13:27:32 +00:00
scan-tree.c Update copyright headers to have latest dates. 2012-07-12 20:01:46 +02:00
scan-tree.h Add support for 'project-list' option 2010-08-04 03:09:32 +02:00
shared.c Merge branch 'jp/defbranch' 2012-03-18 21:00:18 +00:00
ui-atom.c Append path and branch to atom feed title 2010-11-07 16:35:54 +01:00
ui-atom.h Add atom-support 2008-08-01 22:12:34 +02:00
ui-blob.c prefer html_raw() to write() 2010-09-04 14:30:10 -04:00
ui-blob.h Support refspecs in about-filter. 2010-08-20 18:57:30 +02:00
ui-clone.c Supply status description to html_status() 2008-08-06 22:57:44 +02:00
ui-clone.h Add support for cloning over http 2008-08-06 11:21:09 +02:00
ui-commit.c cgit.c: always setup cgit repo environment variables 2011-06-13 23:03:46 +00:00
ui-commit.h ui-commit: Limit diff based on path limit in qry.path 2010-06-19 10:40:23 +02:00
ui-diff.c ui-ssdiff.c: set correct diffmode in "control panel" 2012-01-03 16:09:59 +00:00
ui-diff.h ui-diff.c: create a control panel for diff options 2011-03-06 23:59:56 +01:00
ui-log.c Merge branch 'stable' 2012-01-03 16:06:58 +00:00
ui-log.h ui-log: Line-wrap long commit subjects when showmsg is enabled 2010-11-16 08:18:37 +01:00
ui-patch.c Add URL parameter 'ignorews' for optionally ignoring whitespace in diffs 2010-07-18 10:53:48 +02:00
ui-patch.h ui-patch: Apply path limit to generated patch 2010-06-19 10:40:23 +02:00
ui-plain.c Merge branch 'fh/mimetypes' 2012-03-18 21:01:28 +00:00
ui-plain.h Implement plain view 2008-08-06 11:21:30 +02:00
ui-refs.c Merge branch 'stable' 2010-08-03 22:52:11 +02:00
ui-refs.h Add separate header-files for each page/view 2008-03-24 16:38:47 +01:00
ui-repolist.c Update copyright headers to have latest dates. 2012-07-12 20:01:46 +02:00
ui-repolist.h Prepare for 'about site' page / add 'root-readme' option to cgitrc 2008-04-29 01:06:30 +02:00
ui-shared.c Merge branch 'lh/module-links' 2012-03-18 20:59:36 +00:00
ui-shared.h Merge branch 'lh/module-links' 2012-03-18 20:59:36 +00:00
ui-snapshot.c ui-snapshot: pass -n to gzip, to suppress timestamp 2012-09-27 03:35:25 +02:00
ui-snapshot.h Set prefix in snapshots when using dwimmery 2008-11-30 13:39:53 +01:00
ui-ssdiff.c use correct type for sizeof 2012-03-18 09:26:31 +00:00
ui-ssdiff.h ui-ssdiff: move LCS table away from the stack 2012-01-03 15:16:01 +00:00
ui-stats.c ui-stats.c: fix invalid html 2011-05-30 22:21:22 +00:00
ui-stats.h Add and use cgit_find_stats_periodname() in print_repo() 2009-08-24 11:02:48 +02:00
ui-summary.c cgit.c: add 'clone-url' setting with support for macro expansion 2011-06-13 23:04:30 +00:00
ui-summary.h ui-summary: enable arbitrary paths below repo.readme 2009-08-09 13:41:54 +02:00
ui-tag.c ui-tag: make output more similar to commit view 2009-10-06 20:33:04 +02:00
ui-tag.h Add separate header-files for each page/view 2008-03-24 16:38:47 +01:00
ui-tree.c ui-tree.c: add support for path-selected submodule links 2011-06-15 10:40:13 +02:00
ui-tree.h Add separate header-files for each page/view 2008-03-24 16:38:47 +01:00
vector.c Add vector utility functions 2010-11-10 00:22:41 +01:00
vector.h Add vector utility functions 2010-11-10 00:22:41 +01:00

                       cgit - cgi for git


This is an attempt to create a fast web interface for the git scm, using a
builtin cache to decrease server io-pressure.


Installation

Building cgit involves building a proper version of git. How to do this
depends on how you obtained the cgit sources:

a) If you're working in a cloned cgit repository, you first need to
initialize and update the git submodule:

  $ git submodule init     # register the git submodule in .git/config
  $ $EDITOR .git/config    # if you want to specify a different url for git
  $ git submodule update   # clone/fetch and checkout correct git version

b) If you're building from a cgit tarball, you can download a proper git
version like this:

  $ make get-git


When either a) or b) has been performed, you can build and install cgit like
this:

  $ make
  $ sudo make install

This will install cgit.cgi and cgit.css into "/var/www/htdocs/cgit". You can
configure this location (and a few other things) by providing a "cgit.conf"
file (see the Makefile for details).


Dependencies:
  -git 1.7.4
  -zip lib
  -crypto lib
  -openssl lib


Apache configuration

A new Directory-section must probably be added for cgit, possibly something
like this:

  <Directory "/var/www/htdocs/cgit/">
      AllowOverride None
      Options +ExecCGI
      Order allow,deny
      Allow from all
  </Directory>


Runtime configuration

The file /etc/cgitrc is read by cgit before handling a request. In addition
to runtime parameters, this file may also contain a list of repositories
displayed by cgit (see cgitrc.5.txt for further details).


The cache

When cgit is invoked it looks for a cachefile matching the request and
returns it to the client. If no such cachefile exist (or if it has expired),
the content for the request is written into the proper cachefile before the
file is returned.

If the cachefile has expired but cgit is unable to obtain a lock for it, the
stale cachefile is returned to the client. This is done to favour page
throughput over page freshness.

The generated content contains the complete response to the client, including
the http-headers "Modified" and "Expires".


Online presence

* The cgit homepage is hosted by cgit at http://hjemli.net/git/cgit/about

* Patches, bugreports, discussions and support should go to the cgit
  mailing list: cgit@hjemli.net