unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
From: fuomag9 <fuo@fuo.fi>
To: bug-gnu-emacs@gnu.org, emacs-devel@gnu.org
Subject: Re: CVE-2021-36699 report
Date: Mon, 24 Apr 2023 21:27:34 +0000	[thread overview]
Message-ID: <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com> (raw)
In-Reply-To: <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>

[-- Attachment #1: Type: text/plain, Size: 9290 bytes --]

Hi,

This email was forwarded to you as suggested by simon@josefsson.org <mailto:simon@josefsson.org> as I was forwarded to this person when contacting security@gnu.org



Hi,
I’m a security researcher and I’ve searched for a way to contact the emacs security team but I’ve not found any information online, so I’m reporting this issue here.
I’ve discovered a buffer overflow in GNU Emacs 28.0.50 (at the time of writing the exploit still works on GNU Emacs 28.2)
The issue is inside the --dump-file functionality of emacs, in particular dump_make_lv_from_reloc at pdumper.c:5239
Attached to this email there's is payload used to make the vulnerability work (if emacs complains about a signature error you need to replace the hex bytes inside the payload with the expected one, since every emacs binary will expect a different signature).
This issue has been assigned CVE-2021-36699 and thus I’m notifying you of this. (I do not think the emacs team is aware of this security issue)
The POC is simple:
Launch emacs --dump-file exploit, where exploit is a custom crafted emacs dump file
Here's the program execution via GDB
Starting program: /home/fuomag9/emacs-std/src/emacs --dump-file
exploit_p1/3_1.dat
ERROR: Could not find ELF base!
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x000055555567d66e in dump_make_lv_from_reloc (reloc=...,
dump_base=140737341673472) at pdumper.c:5239
5239 && reloc.type < RELOC_DUMP_TO_EMACS_LV)
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────[
REGISTERS ]─────────────────────────────────────────────────────────────────────────────
RAX 0x24
RBX 0x555555b19ed8 (globals+2008) ◂— 0x0
RCX 0x9
RDX 0x7ffff7bcafe0 (deflateParams+320) ◂— mov dword ptr [rdi + rdx*2], eax
RDI 0x8000089de224
RSI 0x7ffff741d000 ◂— 'DUMPEDGNUEMACS'
R8 0x555555b6c8b0 ◂— 0x0
R9 0x555555b6c8b0 ◂— 0x0
R10 0x12
R11 0x7ffff7b2ac00 (main_arena+96) —▸ 0x555555b6c970 ◂— 0x0
R12 0x7ffff7bcafe4 (deflateParams+324) ◂— mov edx, eax
R13 0x7ffff741d000 ◂— 'DUMPEDGNUEMACS'
R14 0x7ffff7d49e78 ◂— add byte ptr [rax], al
R15 0x7ffff751d000 ◂— 0x0
RBP 0x555555b1c2e0 (lispsym) ◂— 0x0
RSP 0x7fffffffdf30 —▸ 0x7fffffffe0c0 ◂— 0x3
RIP 0x55555567d66e (dump_do_all_dump_reloc_for_phase+78) ◂— mov rdx,
qword ptr [rdi]
──────────────────────────────────────────────────────────────────────────────[
DISASM ]──────────────────────────────────────────────────────────────────────────────
► 0x55555567d66e mov rdx, qword ptr [rdi] <0x7ffff7bcafe0>
0x55555567d671 and eax, 0x1f
0x55555567d674 cmp al, 7
0x55555567d676 ja dump_do_all_dump_reloc_for_phase+224
<dump_do_all_dump_reloc_for_phase+224>
↓
0x55555567d700 sub ecx, 0xd
0x55555567d703 lea rax, [rdx + rbx]
0x55555567d707 jmp dump_do_all_dump_reloc_for_phase+100
<dump_do_all_dump_reloc_for_phase+100>
↓
0x55555567d684 mov rdx, rax
0x55555567d687 mov esi, ecx
0x55555567d689 sub rdx, rbp
0x55555567d68c add rax, rsi
──────────────────────────────────────────────────────────────────────────[
SOURCE (CODE) ]───────────────────────────────────────────────────────────────────────────
In file: /home/fuomag9/emacs-std/src/pdumper.c
5234 const struct dump_reloc reloc)
5235 {
5236 const dump_off reloc_offset = dump_reloc_get_offset (reloc);
5237 uintptr_t value = dump_read_word_from_dump (dump_base, reloc_offset);
5238 enum Lisp_Type lisp_type;
► 5239
5240 if (RELOC_DUMP_TO_DUMP_LV <= reloc.type
5241 && reloc.type < RELOC_DUMP_TO_EMACS_LV)
5242 {
5243 lisp_type = reloc.type - RELOC_DUMP_TO_DUMP_LV;
5244 value += dump_base;
──────────────────────────────────────────────────────────────────────────────[
STACK ]───────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffdf30 —▸ 0x7fffffffe0c0 ◂— 0x3
01:0008│ 0x7fffffffdf38 ◂— 0x3
02:0010│ 0x7fffffffdf40 —▸ 0x7fffffffdfc0 ◂— 'DUMPEDGNUEMACS'
03:0018│ 0x7fffffffdf48 —▸ 0x7fffffffe168 ◂— 0x3f /* '?' */
04:0020│ 0x7fffffffdf50 ◂— 0x0
05:0028│ 0x7fffffffdf58 —▸ 0x555555683e63 (pdumper_load+1523) ◂— mov
eax, dword ptr [rsp + 0xb4]
06:0030│ 0x7fffffffdf60 ◂— 0x60e99c8c
07:0038│ 0x7fffffffdf68 ◂— 0x60e9d68
────────────────────────────────────────────────────────────────────────────[
BACKTRACE ]─────────────────────────────────────────────────────────────────────────────
► f 0 0x55555567d66e dump_do_all_dump_reloc_for_phase+78
f 1 0x55555567d66e dump_do_all_dump_reloc_for_phase+78
f 2 0x55555567d66e dump_do_all_dump_reloc_for_phase+78
f 3 0x555555683e63 pdumper_load+1523
f 4 0x555555587c10 main+2880
f 5 0x555555587c10 main+2880
f 6 0x7ffff7972565 __libc_start_main+213

Below is the execution with the ASAN address sanitizer showing the
global buffer overflow:

==25852==ERROR: AddressSanitizer: global-buffer-overflow on address
0x56099125b830 at pc 0x7fc6db6862d3 bp 0x7ffe24fa83a0 sp
0x7ffe24fa7b48
WRITE of size 226929408 at 0x56099125b830 thread T0
#0 0x7fc6db6862d2 in __interceptor_memcpy
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
#1 0x560990ba5258 in dump_do_emacs_relocation
(/home/fuomag9/emacs-asan/src/emacs+0x457258)
#2 0x560990ba5aa1 in dump_do_all_emacs_relocations
(/home/fuomag9/emacs-asan/src/emacs+0x457aa1)
#3 0x560990ba67ea in pdumper_load (/home/fuomag9/emacs-asan/src/emacs+0x4587ea)
#4 0x560990a5986a in load_pdump (/home/fuomag9/emacs-asan/src/emacs+0x30b86a)
#5 0x560990a5b167 in main (/home/fuomag9/emacs-asan/src/emacs+0x30d167)
#6 0x7fc6db006564 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
#7 0x56099082f00d in _start (/home/fuomag9/emacs-asan/src/emacs+0xe100d)
0x56099125b830 is located 0 bytes to the right of global variable
'globals' defined in 'alloc.c:283:22' (0x56099125aa80) of size 3504
0x56099125b830 is located 48 bytes to the left of global variable
'consing_until_gc' defined in 'alloc.c:287:11' (0x56099125b860) of
size 8
SUMMARY: AddressSanitizer: global-buffer-overflow
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0ac1b22436b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac1b22436c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac1b22436d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac1b22436e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac1b22436f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ac1b2243700: 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 00 f9 f9 f9
0x0ac1b2243710: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
0x0ac1b2243720: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac1b2243730: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 f9
0x0ac1b2243740: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0ac1b2243750: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
I look forward your promptly response.
Best regards,
fuomag9



[-- Attachment #2.1: Type: text/html, Size: 29241 bytes --]

[-- Attachment #2.2: PAYLOAD --]
[-- Type: application/octet-stream, Size: 1048576 bytes --]

[-- Attachment #2.3: Type: text/html, Size: 212 bytes --]

       reply	other threads:[~2023-04-24 21:27 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <40-63e3c600-3-2d802d00@111202636>
     [not found] ` <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
     [not found]   ` <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
2023-04-24 21:27     ` fuomag9 [this message]
2023-04-25  7:14       ` bug#63063: CVE-2021-36699 report Eli Zaretskii
2023-04-25  7:24         ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-04-25  7:55           ` Eli Zaretskii
2023-04-25  8:38             ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-04-25  9:09               ` Eli Zaretskii
2023-04-25 10:55                 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-04-25 11:51                   ` Eli Zaretskii
2023-04-25 12:26                     ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-04-25 12:47                       ` Eli Zaretskii
2023-04-25 12:59                         ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-04-25 13:06                           ` Eli Zaretskii
2023-04-25 13:18                             ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-04-25 15:54                               ` lux
2023-04-25 16:01                                 ` Eli Zaretskii
2023-04-25 16:17                                   ` Robert Pluim
2023-04-25 16:37                                     ` lux
2023-04-26  1:28                     ` Richard Stallman
2023-04-25  8:45         ` fuomag9 via Bug reports for GNU Emacs, the Swiss army knife of text editors
     [not found]       ` <874jp4ecg6.fsf@yahoo.com>
     [not found]         ` <87o7nc77tt.fsf@valhala.localdomain>
2023-04-25  7:53           ` Eli Zaretskii
     [not found]           ` <87zg6wctqg.fsf@yahoo.com>
2023-04-25  7:53             ` Eli Zaretskii
     [not found]       ` <CAP_d_8VnxkBOZ3xwccB_URY7vnSCEA2f7ysXOneiwgLHiLEiiA@mail.gmail.com>
2023-04-25  7:57         ` Eli Zaretskii

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com \
    --to=fuo@fuo.fi \
    --cc=bug-gnu-emacs@gnu.org \
    --cc=emacs-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).