cgit with patches for sandboxing using qssb
61d4147ea2
* parsing.c (substr): Handle tail < head. This started when I noticed some cgit segfaults on savannah.gnu.org. Finding the offending URL/commit and then constructing a stand-alone reproducer were far more time-consuming than writing the actual patch. The problem arises with a commit like this, in which the user name part of the "Author" field is empty: $ git log -1 commit 6f3f41d73393278f3ede68a2cb1e7a2a23fa3421 Author: <T at h.or> Date: Mon Apr 23 22:29:16 2012 +0200 Here's what happens: (this is due to buf=malloc(0); strncpy (buf, head, -1); where "head" may point to plenty of attacker-specified non-NUL bytes, so we can overwrite a zero-length heap buffer with arbitrary data) Invalid write of size 1 at 0x4A09361: strncpy (mc_replace_strmem.c:463) by 0x408977: substr (parsing.c:61) by 0x4089EF: parse_user (parsing.c:73) by 0x408D10: cgit_parse_commit (parsing.c:153) by 0x40A540: cgit_mk_refinfo (shared.c:171) by 0x40A581: cgit_refs_cb (shared.c:181) by 0x43DEB3: do_for_each_ref (refs.c:690) by 0x41075E: cgit_print_branches (ui-refs.c:191) by 0x416EF2: cgit_print_summary (ui-summary.c:56) by 0x40780A: summary_fn (cmd.c:120) by 0x40667A: process_request (cgit.c:544) by 0x404078: cache_process (cache.c:322) Address 0x4c718d0 is 0 bytes after a block of size 0 alloc'd at 0x4A0884D: malloc (vg_replace_malloc.c:263) by 0x455C85: xmalloc (wrapper.c:35) by 0x40894C: substr (parsing.c:60) by 0x4089EF: parse_user (parsing.c:73) by 0x408D10: cgit_parse_commit (parsing.c:153) by 0x40A540: cgit_mk_refinfo (shared.c:171) by 0x40A581: cgit_refs_cb (shared.c:181) by 0x43DEB3: do_for_each_ref (refs.c:690) by 0x41075E: cgit_print_branches (ui-refs.c:191) by 0x416EF2: cgit_print_summary (ui-summary.c:56) by 0x40780A: summary_fn (cmd.c:120) by 0x40667A: process_request (cgit.c:544) Invalid write of size 1 at 0x4A09400: strncpy (mc_replace_strmem.c:463) by 0x408977: substr (parsing.c:61) by 0x4089EF: parse_user (parsing.c:73) by 0x408D10: cgit_parse_commit (parsing.c:153) by 0x40A540: cgit_mk_refinfo (shared.c:171) by 0x40A581: cgit_refs_cb (shared.c:181) by 0x43DEB3: do_for_each_ref (refs.c:690) by 0x41075E: cgit_print_branches (ui-refs.c:191) by 0x416EF2: cgit_print_summary (ui-summary.c:56) by 0x40780A: summary_fn (cmd.c:120) by 0x40667A: process_request (cgit.c:544) by 0x404078: cache_process (cache.c:322) Address 0x4c7192b is not stack'd, malloc'd or (recently) free'd Invalid write of size 1 at 0x4A0940E: strncpy (mc_replace_strmem.c:463) by 0x408977: substr (parsing.c:61) by 0x4089EF: parse_user (parsing.c:73) by 0x408D10: cgit_parse_commit (parsing.c:153) by 0x40A540: cgit_mk_refinfo (shared.c:171) by 0x40A581: cgit_refs_cb (shared.c:181) by 0x43DEB3: do_for_each_ref (refs.c:690) by 0x41075E: cgit_print_branches (ui-refs.c:191) by 0x416EF2: cgit_print_summary (ui-summary.c:56) by 0x40780A: summary_fn (cmd.c:120) by 0x40667A: process_request (cgit.c:544) by 0x404078: cache_process (cache.c:322) Address 0x4c7192d is not stack'd, malloc'd or (recently) free'd Process terminating with default action of signal 11 (SIGSEGV) Access not within mapped region at address 0x502F000 at 0x4A09400: strncpy (mc_replace_strmem.c:463) by 0x408977: substr (parsing.c:61) by 0x4089EF: parse_user (parsing.c:73) by 0x408D10: cgit_parse_commit (parsing.c:153) by 0x40A540: cgit_mk_refinfo (shared.c:171) by 0x40A581: cgit_refs_cb (shared.c:181) by 0x43DEB3: do_for_each_ref (refs.c:690) by 0x41075E: cgit_print_branches (ui-refs.c:191) by 0x416EF2: cgit_print_summary (ui-summary.c:56) by 0x40780A: summary_fn (cmd.c:120) by 0x40667A: process_request (cgit.c:544) by 0x404078: cache_process (cache.c:322) This happens when tail - head == -1 here: (parsing.c) char *substr(const char *head, const char *tail) { char *buf; buf = xmalloc(tail - head + 1); strncpy(buf, head, tail - head); buf[tail - head] = '\0'; return buf; } char *parse_user(char *t, char **name, char **email, unsigned long *date) { char *p = t; int mode = 1; while (p && *p) { if (mode == 1 && *p == '<') { *name = substr(t, p - 1); t = p; mode++; } else if (mode == 1 && *p == '\n') { The fix is to handle the case of (tail < head) before calling xmalloc, thus avoiding passing an invalid value to xmalloc. And here's the reproducer: It was tricky to reproduce, because git prohibits use of an empty "name" in a commit ID. To construct the offending commit, I had to resort to using "git hash-object". git init -q foo && ( cd foo && echo a > j && git add . && git ci -q --author='au <T at h.or>' -m. . && h=$(git cat-file commit HEAD|sed 's/au //' \ |git hash-object -t commit -w --stdin) && git co -q -b test $h && git br -q -D master && git br -q -m test master) git clone -q --bare foo foo.git cat <<EOF > in repo.url=foo.git repo.path=foo.git EOF CGIT_CONFIG=in QUERY_STRING=url=foo.git valgrind ./cgit The valgrind output is what you see above. AFAICS, this is not exploitable thanks (ironically) to the use of strncpy. Since that -1 translates to SIZE_MAX and this is strncpy, not only does it copy whatever is in "head" (up to first NUL), but it also writes SIZE_MAX - strlen(head) NUL bytes into the destination buffer, and that latter is guaranteed to evoke a segfault. Since cgit is single-threaded, AFAICS, there is no way that the buffer clobbering can be turned into an exploit. |
||
---|---|---|
filters | ||
git@7ed863a85a | ||
tests | ||
.gitignore | ||
.gitmodules | ||
cache.c | ||
cache.h | ||
cgit-doc.css | ||
cgit.c | ||
cgit.css | ||
cgit.h | ||
cgit.png | ||
cgitrc.5.txt | ||
cmd.c | ||
cmd.h | ||
configfile.c | ||
configfile.h | ||
COPYING | ||
gen-version.sh | ||
html.c | ||
html.h | ||
Makefile | ||
parsing.c | ||
README | ||
scan-tree.c | ||
scan-tree.h | ||
shared.c | ||
ui-atom.c | ||
ui-atom.h | ||
ui-blob.c | ||
ui-blob.h | ||
ui-clone.c | ||
ui-clone.h | ||
ui-commit.c | ||
ui-commit.h | ||
ui-diff.c | ||
ui-diff.h | ||
ui-log.c | ||
ui-log.h | ||
ui-patch.c | ||
ui-patch.h | ||
ui-plain.c | ||
ui-plain.h | ||
ui-refs.c | ||
ui-refs.h | ||
ui-repolist.c | ||
ui-repolist.h | ||
ui-shared.c | ||
ui-shared.h | ||
ui-snapshot.c | ||
ui-snapshot.h | ||
ui-ssdiff.c | ||
ui-ssdiff.h | ||
ui-stats.c | ||
ui-stats.h | ||
ui-summary.c | ||
ui-summary.h | ||
ui-tag.c | ||
ui-tag.h | ||
ui-tree.c | ||
ui-tree.h | ||
vector.c | ||
vector.h |
cgit - cgi for git This is an attempt to create a fast web interface for the git scm, using a builtin cache to decrease server io-pressure. Installation Building cgit involves building a proper version of git. How to do this depends on how you obtained the cgit sources: a) If you're working in a cloned cgit repository, you first need to initialize and update the git submodule: $ git submodule init # register the git submodule in .git/config $ $EDITOR .git/config # if you want to specify a different url for git $ git submodule update # clone/fetch and checkout correct git version b) If you're building from a cgit tarball, you can download a proper git version like this: $ make get-git When either a) or b) has been performed, you can build and install cgit like this: $ make $ sudo make install This will install cgit.cgi and cgit.css into "/var/www/htdocs/cgit". You can configure this location (and a few other things) by providing a "cgit.conf" file (see the Makefile for details). Dependencies: -git 1.7.4 -zip lib -crypto lib -openssl lib Apache configuration A new Directory-section must probably be added for cgit, possibly something like this: <Directory "/var/www/htdocs/cgit/"> AllowOverride None Options +ExecCGI Order allow,deny Allow from all </Directory> Runtime configuration The file /etc/cgitrc is read by cgit before handling a request. In addition to runtime parameters, this file may also contain a list of repositories displayed by cgit (see cgitrc.5.txt for further details). The cache When cgit is invoked it looks for a cachefile matching the request and returns it to the client. If no such cachefile exist (or if it has expired), the content for the request is written into the proper cachefile before the file is returned. If the cachefile has expired but cgit is unable to obtain a lock for it, the stale cachefile is returned to the client. This is done to favour page throughput over page freshness. The generated content contains the complete response to the client, including the http-headers "Modified" and "Expires". Online presence * The cgit homepage is hosted by cgit at http://hjemli.net/git/cgit/about * Patches, bugreports, discussions and support should go to the cgit mailing list: cgit@hjemli.net