2022-03-01 19:48:30 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
test_description='commit graph with 64-bit timestamps'
|
2023-10-03 20:31:11 +00:00
|
|
|
|
|
|
|
TEST_PASSES_SANITIZE_LEAK=true
|
2022-03-01 19:48:30 +00:00
|
|
|
. ./test-lib.sh
|
|
|
|
|
|
|
|
if ! test_have_prereq TIME_IS_64BIT || ! test_have_prereq TIME_T_IS_64BIT
|
|
|
|
then
|
|
|
|
skip_all='skipping 64-bit timestamp tests'
|
|
|
|
test_done
|
|
|
|
fi
|
|
|
|
|
|
|
|
. "$TEST_DIRECTORY"/lib-commit-graph.sh
|
commit-graph: bounds-check generation overflow chunk
If the generation entry in a commit-graph doesn't fit, we instead insert
an offset into a generation overflow chunk. But since we don't record
the size of the chunk, we may read outside the chunk if the offset we
find on disk is malicious or corrupted.
We can't check the size of the chunk up-front; it will vary based on how
many entries need overflow. So instead, we'll do a bounds-check before
accessing the chunk memory. Unfortunately there is no error-return from
this function, so we'll just have to die(), which is what it does for
other forms of corruption.
As with other cases, we can drop the st_mult() call, since we know our
bounds-checked value will fit within a size_t.
Before this patch, the test here actually "works" because we read
garbage data from the next chunk. And since that garbage data happens
not to provide a generation number which changes the output, it appears
to work. We could construct a case that actually segfaults or produces
wrong output, but it would be a bit tricky. For our purposes its
sufficient to check that we've detected the bounds error.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2023-10-09 21:05:47 +00:00
|
|
|
. "$TEST_DIRECTORY/lib-chunk.sh"
|
2022-03-01 19:48:30 +00:00
|
|
|
|
|
|
|
UNIX_EPOCH_ZERO="@0 +0000"
|
|
|
|
FUTURE_DATE="@4147483646 +0000"
|
|
|
|
|
|
|
|
GIT_TEST_COMMIT_GRAPH_CHANGED_PATHS=0
|
|
|
|
|
|
|
|
test_expect_success 'lower layers have overflow chunk' '
|
|
|
|
rm -f .git/objects/info/commit-graph &&
|
|
|
|
test_commit --date "$FUTURE_DATE" future-1 &&
|
|
|
|
test_commit --date "$UNIX_EPOCH_ZERO" old-1 &&
|
|
|
|
git commit-graph write --reachable &&
|
|
|
|
test_commit --date "$FUTURE_DATE" future-2 &&
|
|
|
|
test_commit --date "$UNIX_EPOCH_ZERO" old-2 &&
|
|
|
|
git commit-graph write --reachable --split=no-merge &&
|
|
|
|
test_commit extra &&
|
|
|
|
git commit-graph write --reachable --split=no-merge &&
|
|
|
|
git commit-graph write --reachable &&
|
|
|
|
graph_read_expect 5 "generation_data generation_data_overflow" &&
|
|
|
|
mv .git/objects/info/commit-graph commit-graph-upgraded &&
|
|
|
|
git commit-graph write --reachable &&
|
|
|
|
graph_read_expect 5 "generation_data generation_data_overflow" &&
|
|
|
|
test_cmp .git/objects/info/commit-graph commit-graph-upgraded
|
|
|
|
'
|
|
|
|
|
|
|
|
graph_git_behavior 'overflow' '' HEAD~2 HEAD
|
|
|
|
|
2022-03-01 19:48:32 +00:00
|
|
|
test_expect_success 'set up and verify repo with generation data overflow chunk' '
|
2023-07-24 16:39:31 +00:00
|
|
|
git init repo &&
|
|
|
|
(
|
|
|
|
cd repo &&
|
|
|
|
test_commit --date "$UNIX_EPOCH_ZERO" 1 &&
|
|
|
|
test_commit 2 &&
|
|
|
|
test_commit --date "$UNIX_EPOCH_ZERO" 3 &&
|
|
|
|
git commit-graph write --reachable &&
|
|
|
|
graph_read_expect 3 generation_data &&
|
|
|
|
test_commit --date "$FUTURE_DATE" 4 &&
|
|
|
|
test_commit 5 &&
|
|
|
|
test_commit --date "$UNIX_EPOCH_ZERO" 6 &&
|
|
|
|
git branch left &&
|
|
|
|
git reset --hard 3 &&
|
|
|
|
test_commit 7 &&
|
|
|
|
test_commit --date "$FUTURE_DATE" 8 &&
|
|
|
|
test_commit 9 &&
|
|
|
|
git branch right &&
|
|
|
|
git reset --hard 3 &&
|
|
|
|
test_merge M left right &&
|
|
|
|
git commit-graph write --reachable &&
|
|
|
|
graph_read_expect 10 "generation_data generation_data_overflow" &&
|
|
|
|
git commit-graph verify
|
|
|
|
)
|
2022-03-01 19:48:32 +00:00
|
|
|
'
|
|
|
|
|
|
|
|
graph_git_behavior 'overflow 2' repo left right
|
|
|
|
|
2023-03-27 08:08:25 +00:00
|
|
|
test_expect_success 'single commit with generation data exceeding UINT32_MAX' '
|
|
|
|
git init repo-uint32-max &&
|
2023-07-24 16:39:31 +00:00
|
|
|
test_commit -C repo-uint32-max --date "@4294967297 +0000" 1 &&
|
|
|
|
git -C repo-uint32-max commit-graph write --reachable &&
|
|
|
|
graph_read_expect -C repo-uint32-max 1 "generation_data" &&
|
|
|
|
git -C repo-uint32-max commit-graph verify
|
2023-03-27 08:08:25 +00:00
|
|
|
'
|
|
|
|
|
commit-graph: bounds-check generation overflow chunk
If the generation entry in a commit-graph doesn't fit, we instead insert
an offset into a generation overflow chunk. But since we don't record
the size of the chunk, we may read outside the chunk if the offset we
find on disk is malicious or corrupted.
We can't check the size of the chunk up-front; it will vary based on how
many entries need overflow. So instead, we'll do a bounds-check before
accessing the chunk memory. Unfortunately there is no error-return from
this function, so we'll just have to die(), which is what it does for
other forms of corruption.
As with other cases, we can drop the st_mult() call, since we know our
bounds-checked value will fit within a size_t.
Before this patch, the test here actually "works" because we read
garbage data from the next chunk. And since that garbage data happens
not to provide a generation number which changes the output, it appears
to work. We could construct a case that actually segfaults or produces
wrong output, but it would be a bit tricky. For our purposes its
sufficient to check that we've detected the bounds error.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2023-10-09 21:05:47 +00:00
|
|
|
test_expect_success 'reader notices out-of-bounds generation overflow' '
|
|
|
|
graph=.git/objects/info/commit-graph &&
|
|
|
|
test_when_finished "rm -rf $graph" &&
|
|
|
|
git commit-graph write --reachable &&
|
|
|
|
corrupt_chunk_file $graph GDO2 clear &&
|
|
|
|
test_must_fail git log 2>err &&
|
|
|
|
grep "commit-graph overflow generation data is too small" err
|
|
|
|
'
|
|
|
|
|
2022-03-01 19:48:30 +00:00
|
|
|
test_done
|