From: Po Lu via "Bug reports for GNU Emacs, the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
To: Stefan Kangas <stefankangas@gmail.com>
Cc: 72245@debbugs.gnu.org
Subject: bug#72245: [PATCH] Fix integer overflow when reading XPM
Date: Tue, 23 Jul 2024 23:15:09 +0800 [thread overview]
Message-ID: <877cdcxhqa.fsf@yahoo.com> (raw)
In-Reply-To: <CADwFkmnrkyOXg+jK8hviCJaXH5xP_9Q3Zh7YLzaPPjzZ8R120Q@mail.gmail.com> (Stefan Kangas's message of "Tue, 23 Jul 2024 07:51:29 -0700")
Stefan Kangas <stefankangas@gmail.com> writes:
> Po Lu <luangruo@yahoo.com> writes:
>
>> I'm saying that there is nothing to be done. This change is needless,
>> and the report should be closed, whatever opinions the security theater
>> might hold on the matter.
>
> I wasn't the one that started a subthread about security. You did.
>
> The primary consideration here is correctness. Undefined behaviour is
> generally undesirable, and is a source of both bugs and security issues
> in the wild. This is not "security theater", but a fact. No amount of
> handwaving or throwing expletives around will make it go away.
Why don't you begin by deleteing the undefined behavior in mark_memory?
By definition, after having executed undefined behavior once, all of the
future behavior of a C program becomes undefined. For this reason
alone, it is meaningless to speak of undefined behavior in Emacs, only
whether specific behavior produces _actual_ crashes or corruption.
> That said, since you are asking, we are indeed discussing security
> sensitive code, that is executed without prompting, for example, when
> users receive emails or browse the web. We are also discussing image
> processing, an area that is notorious for the bugs and security issues
> that tend to lurk in its many complexities. On the CWE-190 page that I
> linked, there are several examples of integer overflow in image
> processing that has lead to very real exploits. This is not some
> academic issue.
>
> Whether or not anyone has demonstrated that Emacs can be exploited using
> this vector frankly misses the point. Let's start with making Emacs
> behave correctly and predictably in the face of invalid input. This
> really is the bare minimum. Then we can discuss whether or not we have
> more work to do, security implications, and all the rest of it.
It behaves as correctly and predictably as it should: it does not crash.
> XPM being a relatively simple format, I'm sure that this code can be
> fully audited. I invite you to do so, and I'm hoping that this will
> reveal that your faith in this code is well-founded. Meanwhile, I
> reported an unrelated crash in XPM image processing in Bug#72255.
>
> Since we don't have an alternative patch, I will install the one I
> proposed in the next couple of days. Thanks.
It is correctly implemented as it stands. You are essentially proposing
to have code that has not posed difficulties be needlessly complicated
with ugly pedantic error-checking.
next prev parent reply other threads:[~2024-07-23 15:15 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-22 14:35 bug#72245: [PATCH] Fix integer overflow when reading XPM Stefan Kangas
2024-07-22 15:01 ` Eli Zaretskii
2024-07-22 15:39 ` Paul Eggert
2024-07-22 15:48 ` Stefan Kangas
2024-07-23 2:06 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-23 3:04 ` Stefan Kangas
2024-07-23 3:41 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-23 4:12 ` Stefan Kangas
2024-07-23 4:45 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-23 14:51 ` Stefan Kangas
2024-07-23 15:15 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors [this message]
2024-07-23 15:39 ` Eli Zaretskii
2024-07-23 15:33 ` Eli Zaretskii
2024-07-23 17:39 ` Andreas Schwab
2024-07-23 17:54 ` Eli Zaretskii
2024-07-23 21:39 ` Stefan Kangas
2024-09-01 11:20 ` Stefan Kangas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877cdcxhqa.fsf@yahoo.com \
--to=bug-gnu-emacs@gnu.org \
--cc=72245@debbugs.gnu.org \
--cc=luangruo@yahoo.com \
--cc=stefankangas@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).