* bug#42530: 28.0.50; Integer overflows in alloc.c on macOS
@ 2020-07-25 17:20 Philipp
2020-10-17 9:05 ` Lars Ingebrigtsen
0 siblings, 1 reply; 4+ messages in thread
From: Philipp @ 2020-07-25 17:20 UTC (permalink / raw)
To: 42530
-fsanitize=undefined finds the following integer overflows in alloc.c:
alloc.c:4641:33: runtime error: addition of unsigned offset to 0x000102496c05 overflowed to 0x000102496c00
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4641:33 in
alloc.c:4852:9: runtime error: pointer index expression with base 0xffffffffffffffff overflowed to 0x00010344053f
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4852:9 in
I briefly checked the code, but couldn't find anything obviously wrong.
Note that UBSan also checks for unsigned integer overflows, which are
technically not undefined, but might still be fishy. If these overflows
are intended, we should probably use INT_ADD_WRAPV to make that clear
and suppress the sanitizer.
In GNU Emacs 28.0.50 (build 66, x86_64-apple-darwin19.5.0, NS appkit-1894.50 Version 10.15.5 (Build 19F101))
of 2020-07-25
Repository revision: 3b44829823f43d3736b8ec9db2258eeff7f6c16a
Repository branch: master
Windowing system distributor 'Apple', version 10.3.1894
System Description: Mac OS X 10.15.5
Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.
Configured using:
'configure --with-modules --without-xml2 --without-pop --with-mailutils
--enable-gcc-warnings=warn-only --enable-checking=all
--enable-check-lisp-object-type 'CFLAGS=-g3 -O1 -fsanitize=address
-fsanitize=undefined -fno-omit-frame-pointer''
Configured features:
JPEG TIFF GIF PNG NOTIFY KQUEUE ACL GNUTLS ZLIB TOOLKIT_SCROLL_BARS NS
MODULES THREADS JSON PDUMPER LCMS2
Important settings:
value of $LANG: de_DE.UTF-8
locale-coding-system: utf-8-unix
Major mode: Lisp Interaction
Minor modes in effect:
tooltip-mode: t
global-eldoc-mode: t
eldoc-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
tool-bar-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
line-number-mode: t
transient-mark-mode: t
Load-path shadows:
None found.
Features:
(shadow sort mail-extr emacsbug message rmc dired dired-loaddefs rfc822
mml easymenu mml-sec epa epg epg-config gnus-util rmail rmail-loaddefs
text-property-search time-date mm-decode mm-bodies mm-encode mail-parse
rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047 rfc2045
ietf-drums mm-util mail-prsvr mail-utils phst skeleton derived edmacro
kmacro pcase ffap thingatpt url url-proxy url-privacy url-expand
url-methods url-history url-cookie url-domsuf url-util url-parse
auth-source cl-seq eieio eieio-core cl-macs eieio-loaddefs
password-cache json map url-vars mailcap subr-x rx gnutls puny seq
byte-opt gv bytecomp byte-compile cconv dbus xml compile comint
ansi-color ring cl-loaddefs cl-lib tooltip eldoc electric uniquify
ediff-hook vc-hooks lisp-float-type mwheel term/ns-win ns-win
ucs-normalize mule-util term/common-win tool-bar dnd fontset image
regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode
lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow isearch
timer select scroll-bar mouse jit-lock font-lock syntax facemenu
font-core term/tty-colors frame minibuffer cl-generic cham georgian
utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean
japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european
ethiopic indian cyrillic chinese composite charscript charprop
case-table epa-hook jka-cmpr-hook help simple abbrev obarray
cl-preloaded nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote threads kqueue cocoa ns
lcms2 multi-tty make-network-process emacs)
Memory information:
((conses 16 69705 5415)
(symbols 48 8650 1)
(strings 32 23527 1769)
(string-bytes 1 768093)
(vectors 16 14130)
(vector-slots 8 172256 4253)
(floats 8 25 30)
(intervals 56 210 0)
(buffers 992 10))
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#42530: 28.0.50; Integer overflows in alloc.c on macOS
2020-07-25 17:20 bug#42530: 28.0.50; Integer overflows in alloc.c on macOS Philipp
@ 2020-10-17 9:05 ` Lars Ingebrigtsen
2020-10-17 12:12 ` Philipp Stephani
0 siblings, 1 reply; 4+ messages in thread
From: Lars Ingebrigtsen @ 2020-10-17 9:05 UTC (permalink / raw)
To: Philipp; +Cc: 42530
Philipp <p.stephani2@gmail.com> writes:
> -fsanitize=undefined finds the following integer overflows in alloc.c:
>
> alloc.c:4641:33: runtime error: addition of unsigned offset to 0x000102496c05 overflowed to 0x000102496c00
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4641:33 in
> alloc.c:4852:9: runtime error: pointer index expression with base 0xffffffffffffffff overflowed to 0x00010344053f
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4852:9 in
How do you reproduce this? I tried
./configure CFLAGS='-g3 -O1 -fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer' --with-modules --without-xml2 --without-pop --with-mailutils --enable-gcc-warnings=warn-only --enable-checking=all --enable-check-lisp-object-type
and then started Emacs (on Catalina), but didn't get any errors as far
as I can see.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#42530: 28.0.50; Integer overflows in alloc.c on macOS
2020-10-17 9:05 ` Lars Ingebrigtsen
@ 2020-10-17 12:12 ` Philipp Stephani
2020-10-18 8:15 ` Lars Ingebrigtsen
0 siblings, 1 reply; 4+ messages in thread
From: Philipp Stephani @ 2020-10-17 12:12 UTC (permalink / raw)
To: Lars Ingebrigtsen; +Cc: 42530
Am Sa., 17. Okt. 2020 um 11:06 Uhr schrieb Lars Ingebrigtsen <larsi@gnus.org>:
>
> Philipp <p.stephani2@gmail.com> writes:
>
> > -fsanitize=undefined finds the following integer overflows in alloc.c:
> >
> > alloc.c:4641:33: runtime error: addition of unsigned offset to 0x000102496c05 overflowed to 0x000102496c00
> > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4641:33 in
> > alloc.c:4852:9: runtime error: pointer index expression with base 0xffffffffffffffff overflowed to 0x00010344053f
> > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4852:9 in
>
> How do you reproduce this? I tried
>
> ./configure CFLAGS='-g3 -O1 -fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer' --with-modules --without-xml2 --without-pop --with-mailutils --enable-gcc-warnings=warn-only --enable-checking=all --enable-check-lisp-object-type
>
> and then started Emacs (on Catalina), but didn't get any errors as far
> as I can see.
According to 'git bisect' this was fixed by
commit 069b58b7c852b59f8ef7642e21db339626045671
Author: Philipp Stephani <phst@google.com>
Date: Sun Aug 2 12:58:44 2020 +0200
* src/alloc.c (mark_memory): Avoid signed integer overflow
src/alloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
and probably other commits around that time.
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#42530: 28.0.50; Integer overflows in alloc.c on macOS
2020-10-17 12:12 ` Philipp Stephani
@ 2020-10-18 8:15 ` Lars Ingebrigtsen
0 siblings, 0 replies; 4+ messages in thread
From: Lars Ingebrigtsen @ 2020-10-18 8:15 UTC (permalink / raw)
To: Philipp Stephani; +Cc: 42530
Philipp Stephani <p.stephani2@gmail.com> writes:
> According to 'git bisect' this was fixed by
>
> commit 069b58b7c852b59f8ef7642e21db339626045671
> Author: Philipp Stephani <phst@google.com>
> Date: Sun Aug 2 12:58:44 2020 +0200
>
> * src/alloc.c (mark_memory): Avoid signed integer overflow
>
> src/alloc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> and probably other commits around that time.
Thanks; I'm closing this bug report, then.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-18 8:15 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-07-25 17:20 bug#42530: 28.0.50; Integer overflows in alloc.c on macOS Philipp
2020-10-17 9:05 ` Lars Ingebrigtsen
2020-10-17 12:12 ` Philipp Stephani
2020-10-18 8:15 ` Lars Ingebrigtsen
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).