From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Po Lu via "Bug reports for GNU Emacs, the Swiss army knife of text editors" Newsgroups: gmane.emacs.bugs Subject: bug#63063: CVE-2021-36699 report Date: Tue, 25 Apr 2023 16:38:19 +0800 Message-ID: <87r0s8cq6c.fsf@yahoo.com> References: <40-63e3c600-3-2d802d00@111202636> <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com> <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com> <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com> <83fs8owg3r.fsf@gnu.org> Reply-To: Po Lu Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="27389"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: 63063@debbugs.gnu.org, fuo@fuo.fi To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Apr 25 10:39:38 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1prED3-0006wf-Hb for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 25 Apr 2023 10:39:37 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1prECW-0008Hk-0z; Tue, 25 Apr 2023 04:39:04 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1prECU-0008G0-NE for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 04:39:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1prECU-0006k5-Eh for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 04:39:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1prECT-0004Mk-UU for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 04:39:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Po Lu Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 25 Apr 2023 08:39:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63063 X-GNU-PR-Package: emacs Original-Received: via spool by 63063-submit@debbugs.gnu.org id=B63063.168241191516745 (code B ref 63063); Tue, 25 Apr 2023 08:39:01 +0000 Original-Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 08:38:35 +0000 Original-Received: from localhost ([127.0.0.1]:51199 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1prEC3-0004M1-2S for submit@debbugs.gnu.org; Tue, 25 Apr 2023 04:38:35 -0400 Original-Received: from sonic307-56.consmr.mail.ne1.yahoo.com ([66.163.190.31]:36253) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1prEC1-0004Lo-Mn for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 04:38:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1682411908; bh=kGjOprfQLKVfb2Q4zkVzRHOHU5pu438rdBrT3tAONmw=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To; b=ddyWbjSKy1M4DAMhVKN+ArIBajzagRjiUjzO59MIYKrTQQhFEnUl5kCLSb6liJRHMzJETc7uweodRhUul8exm/XNk7LFr1bm/E7cIRP1iE6W4JZgomZs1nZL+T06xoqtkn60TNPP0nl+LYhSnGT9wMMwTnNVKkAN+NEiweYwmA02pRkr5xtDlfOHB66qcLOxMQz3B8TG2wtaQsFcyuQfTecM508ozqpV05Knd1XVp2t/mzYxS2fT2RDMtQDpPvrHr3g51HAio5xbymd4vycJVxTWPi828VvhVxv1CdMJGZ24204qCimCMQ+c2JNu2mV19C65v2hS89OBhc9qfQWvXA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1682411908; bh=OZmx5gj7lnSQCk8KutgzvRKQaDwc/KwCTixdoaVndG7=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=edlxSk3aoZqjFn9DVEaZN1O611bHMD2T/Qu91f7+J9a5EZ7Tv7hao1ka+OrPRL2m9oekoSoLrywoCQi8FRoNKHi/TC9k7M9Vp0Gtdn/iyn/PTnbEg+IdWkgwBcf1uV1ZATrtG1UDq0X2Le1dTID1C5vqqL94n6QrwgfF3rNs119VF9rbWr8oHdGYdsgMCePbg465lgM8RjBnZ/cthqcTrO+66Hiz/LYLEU6FCGkJLExm1F85QpjL4pdpiUYCTAOgZveuFnDLjwMqD82C7Cu9ltMWssxYSONCVusXQhoWXdUZsKjAo0gArbya+NvQP6Wl7qlm4TNr4fCz4X+R8WeKTg== X-YMail-OSG: Z0W_lfoVM1mo6U2w.lvsaYGIOd_gzxSHMKUGpHTIseoAbxXhdmwCaWbE8Ulo4Xe N62KEeVe7XOongiQ7gobPYikiarmuHmO3DKfvVVLjFmeo4RV2WpRJ2jb8OswnzaD2IpkfX0GbZMP xqKFx8HChNWdDeSwm6uNJcDneFpDx59BFpk_Zfc7QmPXH0cNfdo0gCM2BWK7wtvVxZWqtsJ6N1Mr hMnViuGa0mgqJm55b2.MolHO5d55C8R1Ps7cHygZsYIYfz_ZapyOPTniLY6JuL7_Ny09ioimXKX3 mk5VrvPUYUzZ96F.62fZcfNIJ8JlVosqwoPcPGNr2lmMTObU2O_EhF20LLvvduSniX31_8QhH4pu ytRyajFSQkw4u.E_YlEpsI5Qcdw6IhRIjIzuB728xirmogVIPNVviAjq_.1vClsZpuemtKepwp63 w19io5Zl.W7NQOrGxHTFVXaAezEFlbSLym1xp_WooRMeVhMuG.4pgJeDV7tv2ikXPt.tpU.uCGMV jtt44FfHQvVGX1eImI56OfJ1dlyV51KkEzRLpVUok2p5wLI_gRfAMCs9GqNUpZIyza_i8FdSkJu0 Z4D1rGl3kW45P9.NCskoaexsrkzPQz3GwJN3xDrKBLPiDlRGrIhC4OZPQSRvRwmNyESHrsO.3F73 laeWxZpMJQUt1EF1lMewux4zpxBc4e0koEs7RxfF31jahKfD6rLDDoxGvkIAQ0YaxVOLpWA_EOd6 d0zt4JlYVCVPrNNsWDtG9cj7AE_rFG.NAsMj7DJNDzmt6y9U_qAFQwK2G.7teN91lYthlcUGnU38 cmMnC834iWqKzFRGXgiF72N2Rsfmx9qeNQgu4PNw_q X-Sonic-MF: X-Sonic-ID: 5480a3b9-b667-45f7-a3e4-4a9c5f08e114 Original-Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Apr 2023 08:38:28 +0000 Original-Received: by hermes--production-sg3-6d6fb994f6-qwzcd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 4844dcd7ea475801de30b34bdbcc31b8; Tue, 25 Apr 2023 08:38:23 +0000 (UTC) In-Reply-To: <83fs8owg3r.fsf@gnu.org> (Eli Zaretskii's message of "Tue, 25 Apr 2023 10:55:36 +0300") X-Mailer: WebService/1.1.21365 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:260604 Archived-At: Eli Zaretskii writes: >> From: Po Lu >> Cc: fuomag9 , 63063@debbugs.gnu.org >> Date: Tue, 25 Apr 2023 15:24:31 +0800 >> >> Eli Zaretskii writes: >> >> > Please tell more about the buffer overflow: where does it happen in >> > the Emacs sources, which buffer overflows, and why. I cannot find >> > these details in your report. >> >> It happens because the dump file is deliberately edited to be invalid. > > I didn't ask about the root cause, I asked about the details of the > problem: where it happens in our sources, and what exactly happens. The protection fault is in `dump_do_emacs_relocation'. When the dump file contains a relocation with an offset outside the heap: lv = make_lisp_ptr (obj_ptr, reloc.length); memcpy (emacs_ptr_at (reloc.emacs_offset), &lv, sizeof (lv)); will end up copying outside the heap.