From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Po Lu via "Bug reports for GNU Emacs, the Swiss army knife of text editors" Newsgroups: gmane.emacs.bugs Subject: bug#63063: CVE-2021-36699 report Date: Tue, 25 Apr 2023 18:55:40 +0800 Message-ID: <87mt2wcjtf.fsf@yahoo.com> References: <40-63e3c600-3-2d802d00@111202636> <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com> <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com> <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com> <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com> <83a5ywwcow.fsf@gnu.org> Reply-To: Po Lu Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="33663"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: 63063@debbugs.gnu.org, fuo@fuo.fi To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Apr 25 12:56:13 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1prGLF-0008Rw-1J for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 25 Apr 2023 12:56:13 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1prGL6-0001pm-3g; Tue, 25 Apr 2023 06:56:04 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1prGL5-0001pX-2v for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 06:56:03 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1prGL4-0004eu-R0 for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 06:56:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1prGL4-0000S0-6x for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 06:56:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Po Lu Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 25 Apr 2023 10:56:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63063 X-GNU-PR-Package: emacs Original-Received: via spool by 63063-submit@debbugs.gnu.org id=B63063.16824201571721 (code B ref 63063); Tue, 25 Apr 2023 10:56:02 +0000 Original-Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 10:55:57 +0000 Original-Received: from localhost ([127.0.0.1]:51494 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1prGKz-0000Rg-5H for submit@debbugs.gnu.org; Tue, 25 Apr 2023 06:55:57 -0400 Original-Received: from sonic313-56.consmr.mail.ne1.yahoo.com ([66.163.185.31]:34444) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1prGKx-0000R5-8v for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 06:55:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1682420149; bh=i/rLs84K7DliKushTvLKGOJ/OE4SMK0WPjiRlrZ36f8=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To; b=Sh/K+CZaWBmpqMAFEn8sa0vPgOGWqNt7+ff6Xi/Ue3imdBdCl8TRDimcZDVfDH1WwEF8FKRIBYU/LnOcQwBOMfrj/iirtTm/jUh/s/2XXc8q44ozYAHaksBZ6v/mxLGoW6oXswYPAOGD5fi6NGw7U5DHpCuEmEmkhVRzIaBdTN/ROVUM9/s9WKQvTNZKq5jwNs5voLf0L6MMehIcii8EMj6milGrNXW53YlfAuN0WhfgOQyCVTF2TkZz24Yy+CP9Za/OgRF42nST8qVr5MusGGtNYj6y7I6OF7GBqk6HoAWVvsvIGt+6V4t3YuTs4Vuip0B/OTPwcpYtLTMmFD1Zew== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1682420149; bh=6JkyQ0+kJc9Gef3c512dupPnmc840LBgkJ7Qm8a31yH=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=gwHQp8iUeKDMmkPXQP5/BhfJX+JLmNB4vLkKwLpDKEz4HDPyo4nnLUzyJVavWjHYvjockKgYP/pAoBF4jXvwCkci8m0tQE5NOaxElxklDwZiIQq+/BBX2yEpwmJHwBoSjEBtK0WdNs4+xBpRE7Ymuo4+oDzd3vhioP9rUEoBbKy3eJq1ogrCWc4g/ntm/nXT0BXDluejp9cREU8y1fcBxD/4IexrQwRsXCZYHt8Vof3HvhRmjdSQ7p0AbxUP3OIXG0LHfkC+6lIwMfpjuF43ITSC0HlOOAW+CTpPRRQm+gabTqRpjSxPe8buAY5FjomdKjCNYXcX6G6+0kBrLpvIJA== X-YMail-OSG: C.8jBaQVM1kUbzQbvarZFIST47hhmBJrj0cBZ4l_UwKUVh9cuOB9YSMCzyQpTj6 QxfFN7O2ylNxVUox5.N9s7Sb6F8uo4yCO9phtPxDaT6E1MzDKkrG1gNC5ZpNt9Hjt9iO7o6GqRor o1aavwqDeXkXIzxm0eAmibAjx5OXc1srqVZT6is_.ZYdR4w7vZq5RB_Yj7xgYw4_g2QUS3QJacg6 TvXbeqmQHVC1FSuFRdSxaCGYstDjP0_DsLg0PGMCod8BqZ1MZrSYh2EaCenjVmovrVdWtJiKrhog Oa61tTO23wLlnD3rdubrsMwXP0Z8oeh5y_z1aV_KPjZO162g858TnNbxOwJ4PliEWEkIdWugTgvH 3OeiGJb4QNXDlTeh5ouheOEstpRQILWsrx9I14bt_NvPkOd3R62ikeFheg0.4l0x.5kpg4sbvb2P tF1555jWXwaRjdVXp8go9YLqvkgjss1o7FDxprFKXOROZOOSyU4llshcZ06l4473ki7w3lSJuXlb U_0X9HWz2URg73KLZPlU4pnDTWkTmYhgR8aDeDTsjLUsdvxHe8V2BLx_FkyKQ1K7trSLp.wFLVRk GmRNaEI44cWWFwKfyO9SSVf2.x3g57hUeSzn7sFHRjNLTatL5KaFLynW_qREbtAvxMg8xUq515LZ uHiEZT5vYs6TAG1CcTzgvUjYkdJNNZDisUqE8jgtdpgIK0dCiIBg02xaodvMB0OmkZzwpQk9Y6Wb 7IEeFDttMEk.wYJGe5gMvCqXXFHIcPvm7dTMLlW.CBQFiCzopCFsTP64UM4cvmmPTNtqOgjMSQhl nGhfF3u7sP0cb2Amz_sq1s.mBxedBhw6bmJIKtmx3Q X-Sonic-MF: X-Sonic-ID: 3f4ed88a-67a7-4ed8-8e5e-790842386090 Original-Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Apr 2023 10:55:49 +0000 Original-Received: by hermes--production-sg3-6d6fb994f6-2fxf8 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 235dd4be2b40e74a54e248c696842b01; Tue, 25 Apr 2023 10:55:46 +0000 (UTC) In-Reply-To: <83a5ywwcow.fsf@gnu.org> (Eli Zaretskii's message of "Tue, 25 Apr 2023 12:09:19 +0300") X-Mailer: WebService/1.1.21365 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:260607 Archived-At: Eli Zaretskii writes: > Thanks, but that seems to be unrelated to the code to which the OP > pointed. Are you sure it's the same problem? Yes: the debugger output isn't very clear because `dump_make_lv_from_reloc' has been inlined. Look at the program counter in the ASAN report. > Also, writing outside of the process's address space will indeed cause > protection fault and SIGSEGV, not a buffer-overflow type of problem > that can be exploited for executing some arbitrary code. So I'm not > sure I see why is this a security issue? The invalid relocation could also point to an address that Emacs has mapped, but outside any object, in which case AddressSanitizer will report a buffer overflow. In either case, this is not a security vulnerability: if you can make the user load malformed dump files, you can make him load nefarious executables as well. It doesn't even qualify as a bug, since malformed dump files can cause Emacs to crash in a myriad of other ways. > emacs_ptr_at has this comment: > > /* TODO: assert somehow that the result is actually in the Emacs > image. */ > > Can we assure that in some reasonable way? We have valid_pointer_p, > but that's too expensive, I think. It's quite expensive. Any such check should only be turned on --with-checking.