Re: [BUG] rebase: can write reflog with uninit. `action` string

"Kristoffer Haugsbakk" <code@xxxxxxxxxxxxxxx> · Wed, 30 Apr 2025 17:17:38 +0200

On Tue, Apr 29, 2025, at 23:51, Jeff King wrote:
> On Tue, Apr 29, 2025 at 09:40:13PM +0200, Kristoffer Haugsbakk wrote:
>
>> On Tue, Apr 29, 2025, at 11:22, Phillip Wood wrote:
>> >> #0  run_git_commit (defmsg=0x555555babe70 "<repo path>/MERGE_MSG", opts=0x7fffffffc070, flags=0) at sequencer.c:1158
>> >
>> > Thanks for the backtrace. It would be useful to know what's stored in
>> > opts->ctx->reflog_message at this point if it's not too much trouble
>> > please can you run "print *opts" and "print *opts->ctx" here.
>>
>> Today I ran on f65182a99e5 (The ninth batch, 2025-04-24) at
>> sequencer.c:1148.  I was never able to reproduce this
>> `opts->ctx->reflog_message` having a weird value with GDB today.  The
>> reflog was also fine.
>>
>> Then I ran without GDB and I got the weird reflog that I expected.
>
> Have you tried building with "make SANITIZE=address,undefined"?

No I haven’t.  Thank you.  The following is with that `make`.

Still on f65182a99e5 (The ninth batch, 2025-04-24).  I eventually[1]
got this:

[1] I run through 19 merge conflicts which I `--continue` (using rerere)
    until the rebase is done

```
detached HEAD 5d96584c836] Merge branch '<branch>' into <something else>
 Author: [author]
=================================================================
==87324==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300001daa0 at pc 0x79371ca5df89 bp 0x7fff8e215a50 sp 0x7fff8e2151c8
READ of size 2 at 0x60300001daa0 thread T0
    #0 0x79371ca5df88 in printf_common ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:553
    #1 0x79371ca5fbd5 in __interceptor_vsnprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1668
    #2 0x5702aa6bd851 in strbuf_vaddf /home/kristoffer/programming/git/strbuf.c:415
    #3 0x5702aa6d2384 in strvec_pushf /home/kristoffer/programming/git/strvec.c:35
    #4 0x5702aa629087 in run_git_commit /home/kristoffer/programming/git/sequencer.c:1148
    #5 0x5702aa64c652 in do_merge /home/kristoffer/programming/git/sequencer.c:4363
    #6 0x5702aa655714 in pick_commits /home/kristoffer/programming/git/sequencer.c:5029
    #7 0x5702aa659a68 in sequencer_continue /home/kristoffer/programming/git/sequencer.c:5461
    #8 0x5702a9d0f5ce in run_sequencer_rebase builtin/rebase.c:370
    #9 0x5702a9d14cd9 in run_specific_rebase builtin/rebase.c:747
    #10 0x5702a9d23798 in cmd_rebase builtin/rebase.c:1887
    #11 0x5702a9a3c26c in run_builtin /home/kristoffer/programming/git/git.c:480
    #12 0x5702a9a3d3d5 in handle_builtin /home/kristoffer/programming/git/git.c:744
    #13 0x5702a9a3dc2c in run_argv /home/kristoffer/programming/git/git.c:811
    #14 0x5702a9a3f17c in cmd_main /home/kristoffer/programming/git/git.c:951
    #15 0x5702a9e77aa3 in main /home/kristoffer/programming/git/common-main.c:9
    #16 0x79371be29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #17 0x79371be29e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #18 0x5702a9a35384 in _start (/home/kristoffer/programming/git/git+0x12a0384)

0x60300001daa0 is located 0 bytes inside of 24-byte region [0x60300001daa0,0x60300001dab8)
freed by thread T0 here:
    #0 0x79371cab4c38 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
    #1 0x5702aa7ecdca in xrealloc /home/kristoffer/programming/git/wrapper.c:140
    #2 0x5702aa6b83b7 in strbuf_grow /home/kristoffer/programming/git/strbuf.c:114
    #3 0x5702aa6bd8ca in strbuf_vaddf /home/kristoffer/programming/git/strbuf.c:420
    #4 0x5702aa6476dc in reflog_message /home/kristoffer/programming/git/sequencer.c:3948
    #5 0x5702aa648e42 in do_reset /home/kristoffer/programming/git/sequencer.c:4059
    #6 0x5702aa65545e in pick_commits /home/kristoffer/programming/git/sequencer.c:5026
    #7 0x5702aa659a68 in sequencer_continue /home/kristoffer/programming/git/sequencer.c:5461
    #8 0x5702a9d0f5ce in run_sequencer_rebase builtin/rebase.c:370
    #9 0x5702a9d14cd9 in run_specific_rebase builtin/rebase.c:747
    #10 0x5702a9d23798 in cmd_rebase builtin/rebase.c:1887
    #11 0x5702a9a3c26c in run_builtin /home/kristoffer/programming/git/git.c:480
    #12 0x5702a9a3d3d5 in handle_builtin /home/kristoffer/programming/git/git.c:744
    #13 0x5702a9a3dc2c in run_argv /home/kristoffer/programming/git/git.c:811
    #14 0x5702a9a3f17c in cmd_main /home/kristoffer/programming/git/git.c:951
    #15 0x5702a9e77aa3 in main /home/kristoffer/programming/git/common-main.c:9
    #16 0x79371be29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x79371cab4c38 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
    #1 0x5702aa7ecdca in xrealloc /home/kristoffer/programming/git/wrapper.c:140
    #2 0x5702aa6b83b7 in strbuf_grow /home/kristoffer/programming/git/strbuf.c:114
    #3 0x5702aa6bbeae in strbuf_add /home/kristoffer/programming/git/strbuf.c:313
    #4 0x5702aa61da33 in strbuf_addstr /home/kristoffer/programming/git/strbuf.h:310
    #5 0x5702aa64766a in reflog_message /home/kristoffer/programming/git/sequencer.c:3943
    #6 0x5702aa659637 in sequencer_continue /home/kristoffer/programming/git/sequencer.c:5426
    #7 0x5702a9d0f5ce in run_sequencer_rebase builtin/rebase.c:370
    #8 0x5702a9d14cd9 in run_specific_rebase builtin/rebase.c:747
    #9 0x5702a9d23798 in cmd_rebase builtin/rebase.c:1887
    #10 0x5702a9a3c26c in run_builtin /home/kristoffer/programming/git/git.c:480
    #11 0x5702a9a3d3d5 in handle_builtin /home/kristoffer/programming/git/git.c:744
    #12 0x5702a9a3dc2c in run_argv /home/kristoffer/programming/git/git.c:811
    #13 0x5702a9a3f17c in cmd_main /home/kristoffer/programming/git/git.c:951
    #14 0x5702a9e77aa3 in main /home/kristoffer/programming/git/common-main.c:9
    #15 0x79371be29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:553 in printf_common
Shadow bytes around the buggy address:
  0x0c067fffbb00: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa
  0x0c067fffbb10: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c067fffbb20: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fffbb30: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fffbb40: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
=>0x0c067fffbb50: fd fa fa fa[fd]fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fffbb60: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fffbb70: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fffbb80: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fffbb90: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
  0x0c067fffbba0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==87324==ABORTING
```

> This is a wild guess, but since ctx->reflog_message is pointing to a
> static strbuf, it could be a use after free if the strbuf is reallocated
> due to another call to reflog_message(), but we are still holding the
> old pointer via ctx->reflog_message.