packfile: Correct zlib buffer handling on aarch64 (#1582555)

A recent zlib build with optimization for ARM exposed an issue in git's packfile handling. Thanks to Pavel Cahyna for the initial report and debugging and Jeremy Linton for further diagnosis and the subsequent patch. The patch is currently being discussed upstream¹. Until it is accepted, apply it only on aarch64 to avoid any unexpected issues with other arches. ¹ https://public-inbox.org/git/20180525231713.23047-1-lintonrjeremy@gmail.com/T/#u
2018-05-25 19:43:12 -04:00 · 2018-05-25 19:43:12 -04:00 · 20fad240e8
commit 20fad240e8
parent 9a5cabc9ef
2 changed files with 70 additions and 2 deletions
--- a/0001-packfile-Correct-zlib-buffer-handling.patch
+++ b/0001-packfile-Correct-zlib-buffer-handling.patch
@ -0,0 +1,50 @@
+From 0255347aed203301302e3f8e39fa87349e178019 Mon Sep 17 00:00:00 2001
+From: Jeremy Linton <lintonrjeremy@gmail.com>
+Date: Fri, 25 May 2018 17:56:01 -0500
+Subject: [PATCH] packfile: Correct zlib buffer handling
+
+The buffer being passed to zlib includes a null terminator that
+git needs to keep in place. unpack_compressed_entry() attempts to
+detect the case that the source buffer hasn't been fully consumed
+by checking to see if the destination buffer has been over consumed.
+
+This yields two problems, first a single byte overrun won't be detected
+properly because the Z_STREAM_END will then be set, but the null
+terminator will have been overwritten. The other problem is that
+more recent zlib patches have been poisoning the unconsumed portions
+of the buffers which also overwrites the null, while correctly
+returning length and status.
+
+Lets rely on the fact that the source buffer will only be fully
+consumed when the when the destination buffer is inflated to the
+correct size. We can do this by passing zlib the correct buffer size
+and properly checking the return status. The latter check actually
+already exists if the buffer size is correct.
+
+Signed-off-by: Jeremy Linton <lintonrjeremy@gmail.com>
+---
+ packfile.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/packfile.c b/packfile.c
+index 7c1a2519fc..245eb32041 100644
+--- a/packfile.c
+++ b/packfile.c
+@@ -1416,7 +1416,7 @@ static void *unpack_compressed_entry(struct packed_git *p,
+ 		return NULL;
+ 	memset(&stream, 0, sizeof(stream));
+ 	stream.next_out = buffer;
+-	stream.avail_out = size + 1;
+	stream.avail_out = size;
+ 
+ 	git_inflate_init(&stream);
+ 	do {
+@@ -1424,7 +1424,7 @@ static void *unpack_compressed_entry(struct packed_git *p,
+ 		stream.next_in = in;
+ 		st = git_inflate(&stream, Z_FINISH);
+ 		if (!stream.avail_out)
+-			break; /* the payload is larger than it should be */
+			break; /* done, st indicates if source fully consumed */
+ 		curpos += stream.next_in - in;
+ 	} while (st == Z_OK || st == Z_BUF_ERROR);
+ 	git_inflate_end(&stream);
--- a/git.spec
+++ b/git.spec
@ -83,7 +83,7 @@

 Name:           git
 Version:        2.17.1
-Release:        1%{?rcrev}%{?dist}
+Release:        2%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 URL:            https://git-scm.com/
@ -123,6 +123,9 @@ Patch3:         0001-daemon.c-fix-condition-for-redirecting-stderr.patch
 # https://bugzilla.redhat.com/1581678
 # https://public-inbox.org/git/20180524062733.5412-1-newren@gmail.com/
 Patch4:         0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch
+# https://bugzilla.redhat.com/1582555
+# https://public-inbox.org/git/20180525231713.23047-1-lintonrjeremy@gmail.com/
+Patch5:         0001-packfile-Correct-zlib-buffer-handling.patch

 %if %{with docs}
 BuildRequires:  asciidoc >= 8.4.1
@ -421,7 +424,19 @@ rm -rf "$tar" "$gpghome" # Cleanup tar files and tmp gpg home dir

 # Ensure a blank line follows autosetup, el6 chokes otherwise
 # https://bugzilla.redhat.com/1310704
-%autosetup -p1 -n %{name}-%{version}%{?rcrev}
+#autosetup -p1 -n %{name}-%{version}%{?rcrev}
+
+# Setup/apply patches manually to limit the zlib patch to aarch64
+# until it is accepted upstream
+%setup -q -n %{name}-%{version}%{?rcrev}
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%ifarch aarch64
+%patch5 -p1
+%endif

 # Install print-failed-test-output script
 install -p -m 755 %{SOURCE99} print-failed-test-output
@ -887,6 +902,9 @@ make test || ./print-failed-test-output
 %{?with_docs:%{_pkgdocdir}/git-svn.html}

 %changelog
+* Tue May 29 2018 Todd Zullinger <tmz@pobox.com> - 2.17.1-2
+- packfile: Correct zlib buffer handling (#1582555)
+
 * Tue May 29 2018 Todd Zullinger <tmz@pobox.com> - 2.17.1-1
 - Update to 2.17.1 (CVE-2018-11233, CVE-2018-11235)