Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 3 May 2008 15:58:36 GMT
From:      Coleman Kane <cokane@FreeBSD.org>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/123369: devel/git crashes with use-after-free in git-fetch
Message-ID:  <200805031558.m43Fwaqo008844@freefall.freebsd.org>
Resent-Message-ID: <200805031600.m43G07Wa008989@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         123369
>Category:       ports
>Synopsis:       devel/git crashes with use-after-free in git-fetch
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 03 16:00:07 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Coleman Kane
>Release:        FreeBSD 8.0-CURRENT amd64
>Organization:
FreeBSD
>Environment:
FreeBSD erwin 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Mon Apr 28 20:01:08 EDT
2008     root@erwin:/usr/obj/usr/src/sys/ERWIN  amd64
>Description:
	When using git-fetch (or via git-pull), the program git-fetch crashes
with a Bus Error. I tracked it down to the following GDB trace:

(gdb) bt
#0  0x0000000800e65103 in malloc_usable_size () from /lib/libc.so.7
#1  0x0000000800e65727 in free () from /lib/libc.so.7
#2  0x00000000004adff3 in transport_unlock_pack (transport=0x70f080)
    at transport.c:811
#3  0x00000000004241ac in unlock_pack () at builtin-fetch.c:56
#4  0x0000000800eb65a9 in __cxa_finalize () from /lib/libc.so.7
#5  0x0000000800e69567 in exit () from /lib/libc.so.7
#6  0x0000000000404bf4 in handle_internal_command (argc=2,
argv=0x7fffffffe5b8)
    at git.c:379
#7  0x0000000000404cb9 in main (argc=2, argv=0x7fffffffe5b8) at git.c:414

It seems that transport_unlock_pack is trying to re-free the argument being
passed to free().

>How-To-Repeat:
   1) Install the latest devel/git.
   2) Try using git-fetch or git-pull to update a git.
>Fix:
   The fix has already hit the git tree (but was not in 1.5.5.1):
http://repo.or.cz/w/git.git?a=commit;h=7b7f39eae6ab0bbcc68d3c42a5b23595880e528f

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200805031558.m43Fwaqo008844>