Date: Sat, 3 May 2008 15:58:36 GMT From: Coleman Kane <cokane@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/123369: devel/git crashes with use-after-free in git-fetch Message-ID: <200805031558.m43Fwaqo008844@freefall.freebsd.org> Resent-Message-ID: <200805031600.m43G07Wa008989@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 123369 >Category: ports >Synopsis: devel/git crashes with use-after-free in git-fetch >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat May 03 16:00:07 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Coleman Kane >Release: FreeBSD 8.0-CURRENT amd64 >Organization: FreeBSD >Environment: FreeBSD erwin 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Mon Apr 28 20:01:08 EDT 2008 root@erwin:/usr/obj/usr/src/sys/ERWIN amd64 >Description: When using git-fetch (or via git-pull), the program git-fetch crashes with a Bus Error. I tracked it down to the following GDB trace: (gdb) bt #0 0x0000000800e65103 in malloc_usable_size () from /lib/libc.so.7 #1 0x0000000800e65727 in free () from /lib/libc.so.7 #2 0x00000000004adff3 in transport_unlock_pack (transport=0x70f080) at transport.c:811 #3 0x00000000004241ac in unlock_pack () at builtin-fetch.c:56 #4 0x0000000800eb65a9 in __cxa_finalize () from /lib/libc.so.7 #5 0x0000000800e69567 in exit () from /lib/libc.so.7 #6 0x0000000000404bf4 in handle_internal_command (argc=2, argv=0x7fffffffe5b8) at git.c:379 #7 0x0000000000404cb9 in main (argc=2, argv=0x7fffffffe5b8) at git.c:414 It seems that transport_unlock_pack is trying to re-free the argument being passed to free(). >How-To-Repeat: 1) Install the latest devel/git. 2) Try using git-fetch or git-pull to update a git. >Fix: The fix has already hit the git tree (but was not in 1.5.5.1): http://repo.or.cz/w/git.git?a=commit;h=7b7f39eae6ab0bbcc68d3c42a5b23595880e528f >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200805031558.m43Fwaqo008844>