git-annex-shell, remotedaemon, git remote: Fix some memory DOS attacks.

The attacker could just send a very lot of data, with no \n and it would
all be buffered in memory until the kernel killed git-annex or perhaps OOM
killed some other more valuable process.

This is a low impact security hole, only affecting communication between
local git-annex and git-annex-shell on the remote system. (With either
able to be the attacker). Only those with the right ssh key can do it. And,
there are probably lots of ways to construct git repositories that make git
use a lot of memory in various ways, which would have similar impact as
this attack.

The fix in P2P/IO.hs would have been higher impact, if it had made it to a
released version, since it would have allowed DOSing the tor hidden
service without needing to authenticate.

(The LockContent and NotifyChanges instances may not be really
exploitable; since the line is read and ignored, it probably gets read
lazily and does not end up staying buffered in memory.)
This commit is contained in:
Joey Hess 2016-12-09 13:34:00 -04:00
parent 3d759a0322
commit 15be5c04a6
No known key found for this signature in database
GPG key ID: C910D9222512E3C7
8 changed files with 49 additions and 19 deletions

View file

@ -45,6 +45,7 @@ import Utility.CopyFile
#endif
import Utility.Env
import Utility.Batch
import Utility.SimpleProtocol
import Remote.Helper.Git
import Remote.Helper.Messages
import qualified Remote.Helper.Ssh as Ssh
@ -390,7 +391,7 @@ lockKey r key callback
, std_out = CreatePipe
, std_err = UseHandle nullh
}
v <- liftIO $ tryIO $ hGetLine hout
v <- liftIO $ tryIO $ getProtocolLine hout
let signaldone = void $ tryNonAsync $ liftIO $ mapM_ tryNonAsync
[ hPutStrLn hout ""
, hFlush hout
@ -408,7 +409,7 @@ lockKey r key callback
void $ waitForProcess p
failedlock
Right l
| l == Ssh.contentLockedMarker -> bracket_
| l == Just Ssh.contentLockedMarker -> bracket_
noop
signaldone
(withVerifiedCopy LockedCopy r checkexited callback)