skip to content
Back to
Home Bounties Research Advisories Get Involved Events
November 3, 2022

GHSL-2022-035: Integer Overflow in git shell - CVE-2022-39260

Kevin Backhouse

Coordinated Disclosure Timeline


It is possible to trigger an integer overflow in split_cmdline, leading to out-of-bounds reads and writes. The vulnerability can be triggered remotely on a git server that is configured to allow ssh access using git-shell.

About git-shell

This is a brief overview of git-shell. If you are already familiar with git-shell then you can skip this section.

git-shell is a restricted login shell used to enable ssh access on a git server, which you can set up following these instructions. The server has a user account named git, with an entry in /etc/passwd that looks like this:


Notice that the login shell is /usr/bin/git-shell, rather than /bin/bash. This is what the shell looks like when I ssh into the git account:

$ ssh git@myserver
Last login: Fri Jun 10 21:54:30 2022 from
Run 'help' for help, or 'exit' to leave.  Available commands:

git-shell only permits a limited set of commands, so it enables users to run git operations such as fetch and push, but prevents them from running arbitrary commands as the git user. The vulnerability described here could potentially be exploited to run arbitrary commands as the git user.



Tested Version



Issue: integer overflow in split_cmdline (GHSL-2022-035)

split_cmdline is used to parse commands typed into git-shell. Under normal usage, these commands are short hand-typed strings such as “list”, but it is possible to send a command string longer than 2GB over an ssh connection. The code in split_cmdline uses the int type to index the string, which means that a sufficiently long string can trigger an integer overflow:

int split_cmdline(char *cmdline, const char ***argv)
	int src, dst, count = 0, size = 16;    <===== these variables can overflow
	char quoted = 0;

	ALLOC_ARRAY(*argv, size);

	/* split alias_string */
	(*argv)[count++] = cmdline;
	for (src = dst = 0; cmdline[src];) {
		char c = cmdline[src];

If the string is longer than 2GB then src and dst can overflow and become negative, leading to out-of-bounds reads and writes of the cmdline array.

Note that it is also possible to overflow count and size, but it takes much longer and consumes a lot more memory because it involves growing the argv array.

The attached poc triggers the integer overflow. Run it like this:

gcc split_cmdline_poc.c -o split_cmdline_poc
./split_cmdline_poc poc.txt
cat poc.txt | ssh git@myserver


This vulnerability could potentially enable an attacker to run arbitrary commands as the git user on the git server. The vulnerability can only be exploited by an attacker who already has access to the git server, i.e. they have permission to perform git operations such as pushing and fetching commits. This vulnerability is unlikely to affect large-scale git servers, such as those run by GitHub, as they are unlikely to use git-shell for ssh access.



This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).


You can contact the GHSL team at, please include a reference to GHSL-2022-035 in any communication regarding this issue.