From 684dd4c2b414bcf648505e74498a608f28de4592 Mon Sep 17 00:00:00 2001 From: Matheus Tavares Date: Thu, 10 Dec 2020 10:27:55 -0300 Subject: checkout: fix bug that makes checkout follow symlinks in leading path Before checking out a file, we have to confirm that all of its leading components are real existing directories. And to reduce the number of lstat() calls in this process, we cache the last leading path known to contain only directories. However, when a path collision occurs (e.g. when checking out case-sensitive files in case-insensitive file systems), a cached path might have its file type changed on disk, leaving the cache on an invalid state. Normally, this doesn't bring any bad consequences as we usually check out files in index order, and therefore, by the time the cached path becomes outdated, we no longer need it anyway (because all files in that directory would have already been written). But, there are some users of the checkout machinery that do not always follow the index order. In particular: checkout-index writes the paths in the same order that they appear on the CLI (or stdin); and the delayed checkout feature -- used when a long-running filter process replies with "status=delayed" -- postpones the checkout of some entries, thus modifying the checkout order. When we have to check out an out-of-order entry and the lstat() cache is invalid (due to a previous path collision), checkout_entry() may end up using the invalid data and thrusting that the leading components are real directories when, in reality, they are not. In the best case scenario, where the directory was replaced by a regular file, the user will get an error: "fatal: unable to create file 'foo/bar': Not a directory". But if the directory was replaced by a symlink, checkout could actually end up following the symlink and writing the file at a wrong place, even outside the repository. Since delayed checkout is affected by this bug, it could be used by an attacker to write arbitrary files during the clone of a maliciously crafted repository. Some candidate solutions considered were to disable the lstat() cache during unordered checkouts or sort the entries before passing them to the checkout machinery. But both ideas include some performance penalty and they don't future-proof the code against new unordered use cases. Instead, we now manually reset the lstat cache whenever we successfully remove a directory. Note: We are not even checking whether the directory was the same as the lstat cache points to because we might face a scenario where the paths refer to the same location but differ due to case folding, precomposed UTF-8 issues, or the presence of `..` components in the path. Two regression tests, with case-collisions and utf8-collisions, are also added for both checkout-index and delayed checkout. Note: to make the previously mentioned clone attack unfeasible, it would be sufficient to reset the lstat cache only after the remove_subtree() call inside checkout_entry(). This is the place where we would remove a directory whose path collides with the path of another entry that we are currently trying to check out (possibly a symlink). However, in the interest of a thorough fix that does not leave Git open to similar-but-not-identical attack vectors, we decided to intercept all `rmdir()` calls in one fell swoop. This addresses CVE-2021-21300. Co-authored-by: Johannes Schindelin Signed-off-by: Matheus Tavares --- t/t0021-conversion.sh | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) (limited to 't/t0021-conversion.sh') diff --git a/t/t0021-conversion.sh b/t/t0021-conversion.sh index 46f8e583c3..8ff917fca6 100755 --- a/t/t0021-conversion.sh +++ b/t/t0021-conversion.sh @@ -817,4 +817,49 @@ test_expect_success PERL 'invalid file in delayed checkout' ' grep "error: external filter .* signaled that .unfiltered. is now available although it has not been delayed earlier" git-stderr.log ' +for mode in 'case' 'utf-8' +do + case "$mode" in + case) dir='A' symlink='a' mode_prereq='CASE_INSENSITIVE_FS' ;; + utf-8) + dir=$(printf "\141\314\210") symlink=$(printf "\303\244") + mode_prereq='UTF8_NFD_TO_NFC' ;; + esac + + test_expect_success PERL,SYMLINKS,$mode_prereq \ + "delayed checkout with $mode-collision don't write to the wrong place" ' + test_config_global filter.delay.process \ + "\"$TEST_ROOT/rot13-filter.pl\" --always-delay delayed.log clean smudge delay" && + test_config_global filter.delay.required true && + + git init $mode-collision && + ( + cd $mode-collision && + mkdir target-dir && + + empty_oid=$(printf "" | git hash-object -w --stdin) && + symlink_oid=$(printf "%s" "$PWD/target-dir" | git hash-object -w --stdin) && + attr_oid=$(echo "$dir/z filter=delay" | git hash-object -w --stdin) && + + cat >objs <<-EOF && + 100644 blob $empty_oid $dir/x + 100644 blob $empty_oid $dir/y + 100644 blob $empty_oid $dir/z + 120000 blob $symlink_oid $symlink + 100644 blob $attr_oid .gitattributes + EOF + + git update-index --index-info Date: Tue, 2 Feb 2021 22:09:52 +0100 Subject: run-command: invalidate lstat cache after a command finished In the previous commit, we intercepted calls to `rmdir()` to invalidate the lstat cache in the successful case, so that the lstat cache could not have the idea that a directory exists where there is none. The same situation can arise, of course, when a separate process is spawned (most notably, this is the case in `submodule_move_head()`). Obviously, we cannot know whether a directory was removed in that process, therefore we must invalidate the lstat cache afterwards. Note: in contrast to `lstat_cache_aware_rmdir()`, we invalidate the lstat cache even in case of an error: the process might have removed a directory and still have failed afterwards. Co-authored-by: Matheus Tavares Signed-off-by: Johannes Schindelin --- run-command.c | 9 ++++++++- t/t0021-conversion.sh | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) (limited to 't/t0021-conversion.sh') diff --git a/run-command.c b/run-command.c index a483d5904a..c5c4d36671 100644 --- a/run-command.c +++ b/run-command.c @@ -953,6 +953,7 @@ int finish_command(struct child_process *cmd) { int ret = wait_or_whine(cmd->pid, cmd->argv[0], 0); child_process_clear(cmd); + invalidate_lstat_cache(); return ret; } @@ -1239,13 +1240,19 @@ error: int finish_async(struct async *async) { #ifdef NO_PTHREADS - return wait_or_whine(async->pid, "child process", 0); + int ret = wait_or_whine(async->pid, "child process", 0); + + invalidate_lstat_cache(); + + return ret; #else void *ret = (void *)(intptr_t)(-1); if (pthread_join(async->tid, &ret)) error("pthread_join failed"); + invalidate_lstat_cache(); return (int)(intptr_t)ret; + #endif } diff --git a/t/t0021-conversion.sh b/t/t0021-conversion.sh index 8ff917fca6..a714d376a3 100755 --- a/t/t0021-conversion.sh +++ b/t/t0021-conversion.sh @@ -862,4 +862,40 @@ do ' done +test_expect_success PERL,SYMLINKS,CASE_INSENSITIVE_FS \ +"delayed checkout with submodule collision don't write to the wrong place" ' + git init collision-with-submodule && + ( + cd collision-with-submodule && + git config filter.delay.process "\"$TEST_ROOT/rot13-filter.pl\" --always-delay delayed.log clean smudge delay" && + git config filter.delay.required true && + + # We need Git to treat the submodule "a" and the + # leading dir "A" as different paths in the index. + git config --local core.ignoreCase false && + + empty_oid=$(printf "" | git hash-object -w --stdin) && + attr_oid=$(echo "A/B/y filter=delay" | git hash-object -w --stdin) && + cat >objs <<-EOF && + 100644 blob $empty_oid A/B/x + 100644 blob $empty_oid A/B/y + 100644 blob $attr_oid .gitattributes + EOF + git update-index --index-info objs && + git -C a update-index --index-info