2021-02-18 15:07:24 +01:00
|
|
|
#ifndef CHUNK_FORMAT_H
|
|
|
|
|
#define CHUNK_FORMAT_H
|
|
|
|
|
|
2023-04-22 22:17:20 +02:00
|
|
|
#include "hash-ll.h"
|
2021-02-18 15:07:24 +01:00
|
|
|
|
|
|
|
|
struct hashfile;
|
|
|
|
|
struct chunkfile;
|
|
|
|
|
|
|
|
|
|
#define CHUNK_TOC_ENTRY_SIZE (sizeof(uint32_t) + sizeof(uint64_t))
|
|
|
|
|
|
2021-02-18 15:07:34 +01:00
|
|
|
/*
|
|
|
|
|
* Initialize a 'struct chunkfile' for writing _or_ reading a file
|
|
|
|
|
* with the chunk format.
|
|
|
|
|
*
|
|
|
|
|
* If writing a file, supply a non-NULL 'struct hashfile *' that will
|
|
|
|
|
* be used to write.
|
|
|
|
|
*
|
|
|
|
|
* If reading a file, use a NULL 'struct hashfile *' and then call
|
|
|
|
|
* read_table_of_contents(). Supply the memory-mapped data to the
|
|
|
|
|
* pair_chunk() or read_chunk() methods, as appropriate.
|
|
|
|
|
*
|
|
|
|
|
* DO NOT MIX THESE MODES. Use different 'struct chunkfile' instances
|
|
|
|
|
* for reading and writing.
|
|
|
|
|
*/
|
2021-02-18 15:07:24 +01:00
|
|
|
struct chunkfile *init_chunkfile(struct hashfile *f);
|
|
|
|
|
void free_chunkfile(struct chunkfile *cf);
|
|
|
|
|
int get_num_chunks(struct chunkfile *cf);
|
|
|
|
|
typedef int (*chunk_write_fn)(struct hashfile *f, void *data);
|
|
|
|
|
void add_chunk(struct chunkfile *cf,
|
|
|
|
|
uint32_t id,
|
|
|
|
|
size_t size,
|
|
|
|
|
chunk_write_fn fn);
|
|
|
|
|
int write_chunkfile(struct chunkfile *cf, void *data);
|
|
|
|
|
|
2021-02-18 15:07:34 +01:00
|
|
|
int read_table_of_contents(struct chunkfile *cf,
|
|
|
|
|
const unsigned char *mfile,
|
|
|
|
|
size_t mfile_size,
|
|
|
|
|
uint64_t toc_offset,
|
midx: enforce chunk alignment on reading
The midx reader assumes chunks are aligned to a 4-byte boundary: we
treat the fanout chunk as an array of uint32_t, indexing it to feed the
results to ntohl(). Without aligning the chunks, we may violate the
CPU's alignment constraints. Though many platforms allow this, some do
not. And certanily UBSan will complain, since it is undefined behavior.
Even though most chunks are naturally 4-byte-aligned (because they are
storing uint32_t or larger types), PNAM is not. It stores NUL-terminated
pack names, so you can have a valid chunk with any length. The writing
side handles this by 4-byte-aligning the chunk, introducing a few extra
NULs as necessary. But since we don't check this on the reading side, we
may end up with a misaligned fanout and trigger the undefined behavior.
We have two options here:
1. Swap out ntohl(fanout[i]) for get_be32(fanout+i) everywhere. The
latter handles alignment itself. It's possible that it's slightly
slower (though in practice I'm not sure how true that is,
especially for these code paths which then go on to do a binary
search).
2. Enforce the alignment when reading the chunks. This is easy to do,
since the table-of-contents reader can check it in one spot.
I went with the second option here, just because it places less burden
on maintenance going forward (it is OK to continue using ntohl), and we
know it can't have any performance impact on the actual reads.
The commit-graph code uses the same chunk API. It's usually also 4-byte
aligned, but some chunks are not (like Bloom filter BDAT chunks). So
we'll pass "1" here to allow any alignment. It doesn't suffer from the
same problem as midx with its fanout because the fanout chunk is always
the first (and the rest of the format dictates that the first chunk will
start aligned).
The new test shows the effect on a midx with a misaligned PNAM chunk.
Note that the midx-reading code treats chunk-toc errors as soft, falling
back to the non-midx path rather than calling die(), as we do for other
parsing errors. Arguably we should make all of these behave the same,
but that's out of scope for this patch. For now the test just expects
the fallback behavior.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2023-10-09 23:05:23 +02:00
|
|
|
int toc_length,
|
|
|
|
|
unsigned expected_alignment);
|
2021-02-18 15:07:34 +01:00
|
|
|
|
|
|
|
|
#define CHUNK_NOT_FOUND (-2)
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Find 'chunk_id' in the given chunkfile and assign the
|
|
|
|
|
* given pointer to the position in the mmap'd file where
|
chunk-format: note that pair_chunk() is unsafe
The pair_chunk() function is provided as an easy helper for parsing
chunks that just want a pointer to a set of bytes. But every caller has
a hidden bug: because we return only the pointer without the matching
chunk size, the callers have no clue how many bytes they are allowed to
look at. And as a result, they may read off the end of the mmap'd data
when the on-disk file does not match their expectations.
Since chunk files are typically used for local-repository data like
commit-graph files and midx's, the security implications here are pretty
mild. The worst that can happen is that you hand somebody a corrupted
repository tarball, and running Git on it does an out-of-bounds read and
crashes. So it's worth being more defensive, but we don't need to drop
everything and fix every caller immediately.
I noticed the problem because the pair_chunk_fn() callback does not look
at its chunk_size argument, and wanted to annotate it to silence
-Wunused-parameter. We could do that now, but we'd lose the hint that
this code should be audited and fixed.
So instead, let's set ourselves up for going down that path:
1. Provide a pair_chunk() function that does return the size, which
prepares us for fixing these cases.
2. Rename the existing function to pair_chunk_unsafe(). That gives us
an easy way to grep for cases which still need to be fixed, and the
name should cause anybody adding new calls to think twice before
using it.
There are no callers of the "safe" version yet, but we'll add some in
subsequent patches.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2023-10-09 22:58:23 +02:00
|
|
|
* that chunk begins. Likewise the "size" parameter is filled
|
|
|
|
|
* with the size of the chunk.
|
2021-02-18 15:07:34 +01:00
|
|
|
*
|
|
|
|
|
* Returns CHUNK_NOT_FOUND if the chunk does not exist.
|
|
|
|
|
*/
|
|
|
|
|
int pair_chunk(struct chunkfile *cf,
|
|
|
|
|
uint32_t chunk_id,
|
chunk-format: note that pair_chunk() is unsafe
The pair_chunk() function is provided as an easy helper for parsing
chunks that just want a pointer to a set of bytes. But every caller has
a hidden bug: because we return only the pointer without the matching
chunk size, the callers have no clue how many bytes they are allowed to
look at. And as a result, they may read off the end of the mmap'd data
when the on-disk file does not match their expectations.
Since chunk files are typically used for local-repository data like
commit-graph files and midx's, the security implications here are pretty
mild. The worst that can happen is that you hand somebody a corrupted
repository tarball, and running Git on it does an out-of-bounds read and
crashes. So it's worth being more defensive, but we don't need to drop
everything and fix every caller immediately.
I noticed the problem because the pair_chunk_fn() callback does not look
at its chunk_size argument, and wanted to annotate it to silence
-Wunused-parameter. We could do that now, but we'd lose the hint that
this code should be audited and fixed.
So instead, let's set ourselves up for going down that path:
1. Provide a pair_chunk() function that does return the size, which
prepares us for fixing these cases.
2. Rename the existing function to pair_chunk_unsafe(). That gives us
an easy way to grep for cases which still need to be fixed, and the
name should cause anybody adding new calls to think twice before
using it.
There are no callers of the "safe" version yet, but we'll add some in
subsequent patches.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2023-10-09 22:58:23 +02:00
|
|
|
const unsigned char **p,
|
|
|
|
|
size_t *size);
|
|
|
|
|
|
2021-02-18 15:07:34 +01:00
|
|
|
typedef int (*chunk_read_fn)(const unsigned char *chunk_start,
|
|
|
|
|
size_t chunk_size, void *data);
|
|
|
|
|
/*
|
|
|
|
|
* Find 'chunk_id' in the given chunkfile and call the
|
|
|
|
|
* given chunk_read_fn method with the information for
|
|
|
|
|
* that chunk.
|
|
|
|
|
*
|
|
|
|
|
* Returns CHUNK_NOT_FOUND if the chunk does not exist.
|
|
|
|
|
*/
|
|
|
|
|
int read_chunk(struct chunkfile *cf,
|
|
|
|
|
uint32_t chunk_id,
|
|
|
|
|
chunk_read_fn fn,
|
|
|
|
|
void *data);
|
|
|
|
|
|
2022-05-21 01:17:41 +02:00
|
|
|
uint8_t oid_version(const struct git_hash_algo *algop);
|
|
|
|
|
|
2021-02-18 15:07:24 +01:00
|
|
|
#endif
|
