fix(sha256): thread-safety bug in builtin SHA-256 by weihanglo · Pull Request #7266 · libgit2/libgit2

weihanglo · 2026-05-16T08:51:27Z

The implementation here seems to be sort of a copy from the reference impl in RFC 6234 2.
When multiple threads hash concurrently,
they race on this shared static variable.
It then corrupts the length-overflow detection,
and produces incorrect SHA-256 digests.

Here we replace it with a static function with a local variable.

The bug only affects the GIT_SHA256_BUILTIN backend. The SHA-1 code path uses sha1dc which does not have this issue.

Reproducer:

#include <stddef.h>
#include <stdio.h>
#include <string.h>
#include <pthread.h>
#include <git2.h>

#define NUM_THREADS 8
#define ITERATIONS 100000

static volatile int found_bug = 0;

void *hash_thread(void *arg) {
    int id = *(int *)arg;
    const char *data = "hello world\n";
    size_t len = strlen(data);

    git_object_id_options opts = GIT_OBJECT_ID_OPTIONS_INIT;
    opts.object_type = GIT_OBJECT_BLOB;
    opts.oid_type = GIT_OID_SHA256;

    git_oid reference, result;
    git_object_id_from_buffer(&reference, data, len, &opts);

    for (int i = 0; i < ITERATIONS && !found_bug; i++) {
        git_object_id_from_buffer(&result, data, len, &opts);
        if (!git_oid_equal(&reference, &result)) {
            found_bug = 1;
            printf("BUG: thread %d, iteration %d\n", id, i);
            break;
        }
    }
    return NULL;
}

int main(void) {
    git_libgit2_init();
    pthread_t threads[NUM_THREADS];
    int ids[NUM_THREADS];
    for (int i = 0; i < NUM_THREADS; i++) {
        ids[i] = i;
        pthread_create(&threads[i], NULL, hash_thread, &ids[i]);
    }
    for (int i = 0; i < NUM_THREADS; i++)
        pthread_join(threads[i], NULL);
    if (!found_bug)
        printf("No bug triggered\n");
    git_libgit2_shutdown();
    return found_bug ? 1 : 0;
}

Build and run (from libgit2 repo root):

mkdir build && cd build
cmake .. -DEXPERIMENTAL_SHA256=ON -DUSE_SHA256=Builtin \
  -DUSE_HTTPS=OFF -DUSE_SSH=OFF -DUSE_NTLMCLIENT=OFF \
  -DBUILD_SHARED_LIBS=OFF -DCMAKE_BUILD_TYPE=Debug
make libgit2package
cd ..
cc -O0 -pthread -DGIT_EXPERIMENTAL_SHA256=1 \
  -I include -o repro repro.c \
  build/libgit2-experimental.a -lz -lpcre2-8
./repro

See rust-lang/git2-rs#1255 for more.

The implementation here seems to be sort of a copy from the reference impl in RFC 6234 [2]. When multiple threads hash concurrently, they race on this shared static variable. It then corrupts the length-overflow detection, and produces incorrect SHA-256 digests. Here we replace it with a `static` function with a local variable. The bug only affects the `GIT_SHA256_BUILTIN` backend. The SHA-1 code path uses `sha1dc` which does not have this issue. Reproducer: ```c #include <stddef.h> #include <stdio.h> #include <string.h> #include <pthread.h> #include <git2.h> #define NUM_THREADS 8 #define ITERATIONS 100000 static volatile int found_bug = 0; void *hash_thread(void *arg) { int id = *(int *)arg; const char *data = "hello world\n"; size_t len = strlen(data); git_object_id_options opts = GIT_OBJECT_ID_OPTIONS_INIT; opts.object_type = GIT_OBJECT_BLOB; opts.oid_type = GIT_OID_SHA256; git_oid reference, result; git_object_id_from_buffer(&reference, data, len, &opts); for (int i = 0; i < ITERATIONS && !found_bug; i++) { git_object_id_from_buffer(&result, data, len, &opts); if (!git_oid_equal(&reference, &result)) { found_bug = 1; printf("BUG: thread %d, iteration %d\n", id, i); break; } } return NULL; } int main(void) { git_libgit2_init(); pthread_t threads[NUM_THREADS]; int ids[NUM_THREADS]; for (int i = 0; i < NUM_THREADS; i++) { ids[i] = i; pthread_create(&threads[i], NULL, hash_thread, &ids[i]); } for (int i = 0; i < NUM_THREADS; i++) pthread_join(threads[i], NULL); if (!found_bug) printf("No bug triggered\n"); git_libgit2_shutdown(); return found_bug ? 1 : 0; } ``` Build and run (from libgit2 repo root): ```sh mkdir build && cd build cmake .. -DEXPERIMENTAL_SHA256=ON -DUSE_SHA256=Builtin \ -DUSE_HTTPS=OFF -DUSE_SSH=OFF -DUSE_NTLMCLIENT=OFF \ -DBUILD_SHARED_LIBS=OFF -DCMAKE_BUILD_TYPE=Debug make libgit2package cd .. cc -O0 -pthread -DGIT_EXPERIMENTAL_SHA256=1 \ -I include -o repro repro.c \ build/libgit2-experimental.a -lz -lpcre2-8 ./repro ``` See <rust-lang/git2-rs#1255> for more. [1]: https://github.com/libgit2/libgit2/blob/1affb8b19/src/util/hash/rfc6234/sha224-256.c#L86-L91 [2]: https://www.rfc-editor.org/rfc/rfc6234#section-8.2.2

ethomson · 2026-05-16T09:47:42Z

Woof, good catch. Thanks for the fix.

weihanglo · 2026-05-16T11:14:13Z

Thanks for the swift review!

weihanglo mentioned this pull request May 16, 2026

Upstream libgit2 builtin sha256 may have race condition rust-lang/git2-rs#1255

Open

ethomson approved these changes May 16, 2026

View reviewed changes

ethomson merged commit bc1ab28 into libgit2:main May 16, 2026
22 checks passed

Ari4ka approved these changes May 16, 2026

View reviewed changes

weihanglo deleted the fix branch May 16, 2026 10:12

Copilot AI mentioned this pull request May 17, 2026

backports for v1.9.4 #7270

Merged

weihanglo mentioned this pull request May 18, 2026

Support SHA256 Git repositories rust-lang/cargo#14942

Open

ethomson added the v1.9.4 label May 20, 2026

BrewTestBot mentioned this pull request May 22, 2026

libgit2 1.9.4 Homebrew/homebrew-core#284243

Merged

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(sha256): thread-safety bug in builtin SHA-256#7266

fix(sha256): thread-safety bug in builtin SHA-256#7266
ethomson merged 1 commit into
libgit2:mainfrom
weihanglo:fix

weihanglo commented May 16, 2026

Uh oh!

ethomson commented May 16, 2026

Uh oh!

Uh oh!

weihanglo commented May 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

weihanglo commented May 16, 2026

Uh oh!

ethomson commented May 16, 2026

Uh oh!

Uh oh!

weihanglo commented May 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants