bug#23482: 24.4; stack buffer overflow in x-send-client-message

bug#23482: 24.4; stack buffer overflow in x-send-client-message

[Kalle Olavi Niemitalo]

Start emacs -Q in X, copy the following form to the *scratch*
buffer, and press C-j to evaluate it.  The process then crashes
and glibc reports "stack smashing detected".

(x-send-client-message nil nil nil "foo" 32 (make-list 100 0))

Although the docstring of x-send-client-message claims that
excessive values are ignored, they are actually copied to the
event.xclient.data buffer.  This bug was caused in February 2004
when Fx_send_client_event was moved from xfns.c to xselect.c
and the x_fill_property_data function was added.

This does not seem a security vulnerability though, because Emacs
fully trusts Emacs Lisp code, and if some Emacs Lisp code sends
client messages based on untrusted data, then that's already a
bug of its own.

In my fork, I fixed this by adding a nelements_max parameter to
x_fill_property_data.

In GNU Emacs 24.4.1 (x86_64-pc-linux-gnu, GTK+ Version 3.14.5)
 of 2015-03-07 on trouble, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.11604000
System Description:	Debian GNU/Linux 8.4 (jessie)

Configured using:
 `configure --build x86_64-linux-gnu --prefix=/usr
 --sharedstatedir=/var/lib --libexecdir=/usr/lib
 --localstatedir=/var/lib --infodir=/usr/share/info
 --mandir=/usr/share/man --with-pop=yes
 --enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.4/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.4/site-lisp:/usr/share/emacs/site-lisp
 --build x86_64-linux-gnu --prefix=/usr --sharedstatedir=/var/lib
 --libexecdir=/usr/lib --localstatedir=/var/lib
 --infodir=/usr/share/info --mandir=/usr/share/man --with-pop=yes
 --enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.4/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.4/site-lisp:/usr/share/emacs/site-lisp
 --with-x=yes --with-x-toolkit=gtk3 --with-toolkit-scroll-bars
 'CFLAGS=-g -O2 -fstack-protector-strong -Wformat
 -Werror=format-security -Wall' CPPFLAGS=-D_FORTIFY_SOURCE=2
 LDFLAGS=-Wl,-z,relro'

Important settings:
  value of $LANG: fi_FI.utf8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Recent input:
M-x r e p o r t SPC e m a c s SPC b u g <return>

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.

Load-path shadows:
None found.

Features:
(shadow sort gnus-util mail-extr emacsbug message format-spec rfc822 mml
easymenu mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231
mailabbrev gmm-utils mailheader sendmail rfc2047 rfc2045 ietf-drums
mm-util help-fns mail-prsvr mail-utils time-date tooltip electric
uniquify ediff-hook vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar
dnd fontset image regexp-opt fringe tabulated-list newcomment lisp-mode
prog-mode register page menu-bar rfn-eshadow timer select scroll-bar
mouse jit-lock font-lock syntax facemenu font-core frame cham georgian
utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean
japanese hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev
minibuffer nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote make-network-process
dbusbind gfilenotify dynamic-setting system-font-setting
font-render-setting move-toolbar gtk x-toolkit x multi-tty emacs)

Memory information:
((conses 16 71460 7916)
 (symbols 48 17673 0)
 (miscs 40 38 113)
 (strings 32 9157 4731)
 (string-bytes 1 250735)
 (vectors 16 8949)
 (vector-slots 8 385259 16186)
 (floats 8 63 68)
 (intervals 56 255 50)
 (buffers 960 11)
 (heap 1024 40257 948))

bug#23482: [PATCH 22.1] Fix buffer overflow in x-send-client-message (Bug#23482).

[Kalle Olavi Niemitalo]

The docstring already said that excessive values are ignored,
but they instead overflowed the buffer.

This does not seem a security vulnerability though, because Emacs fully
trusts Emacs Lisp code, and if some Emacs Lisp code sends client
messages based on untrusted data, then that's already a bug of its own.

2016-05-08  Kalle Olavi Niemitalo  <kon@iki.fi>

	* xselect.c (x_fill_property_data): Add parameter NELEMENTS_MAX.
	* xterm.h (x_fill_property_data): Update prototype.
	* xselect.c (Fx_send_client_event): Update call.  This fixes
	  a buffer overflow in event.xclient.data.
	* xfns.c (Fx_change_window_property): Update call.
---
This patch is for Emacs 22.1 and includes the prominent notices
required by clause 2a of GPLv2. 
I do not intend to assign copyright to the FSF.

In Emacs 22.1, Fx_send_client_event has other bugs that this
patch does not fix.  It should clear event.xclient.data.l rather
than event.xclient.data.b, and the mask 0xffff in events sent to
the root window does not include the SubstructureNotify and
SubstructureRedirect bits required by "Extended Window Manager
Hints" version 1.1.

Date: Sun, 8 May 2016 11:33:44 +0300

 src/xfns.c    |  5 ++++-
 src/xselect.c | 17 +++++++++++++----
 src/xterm.h   |  3 +++
 3 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/src/xfns.c b/src/xfns.c
index d269dfb..00e28db 100644
--- a/src/xfns.c
+++ b/src/xfns.c
@@ -19,6 +19,8 @@ along with GNU Emacs; see the file COPYING.  If not, write to
 the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
 Boston, MA 02110-1301, USA.  */
 
+/* Modified on 2016-05-08 by Kalle Olavi Niemitalo.  */
+
 #include <config.h>
 #include <stdio.h>
 #include <math.h>
@@ -4255,7 +4257,8 @@ Value is VALUE.  */)
            converts to 32 bits before sending to the X server.  */
         data = (unsigned char *) xmalloc (nelements * sizeof(long));
 
-      x_fill_property_data (FRAME_X_DISPLAY (f), value, data, element_format);
+      x_fill_property_data (FRAME_X_DISPLAY (f), value, data, nelements,
+                            element_format);
     }
   else
     {
diff --git a/src/xselect.c b/src/xselect.c
index 3fe109a..5d4ef9c 100644
--- a/src/xselect.c
+++ b/src/xselect.c
@@ -21,6 +21,7 @@ Boston, MA 02110-1301, USA.  */
 
 
 /* Rewritten by jwz */
+/* Modified on 2016-05-08 by Kalle Olavi Niemitalo.  */
 
 #include <config.h>
 #include <stdio.h>      /* termhooks.h needs this */
@@ -2526,27 +2527,32 @@ x_check_property_data (data)
 
    DPY is the display use to look up X atoms.
    DATA is a Lisp list of values to be converted.
-   RET is the C array that contains the converted values.  It is assumed
-   it is big enough to hold all values.
+   RET is the C array that contains the converted values.
+   NELEMENTS_MAX is the number of values that will fit in RET.
+   Any excess values in DATA are ignored.
    FORMAT is 8, 16 or 32 and denotes char/short/long for each C value to
    be stored in RET.  Note that long is used for 32 even if long is more
    than 32 bits (see man pages for XChangeProperty, XGetWindowProperty and
    XClientMessageEvent).  */
 
 void
-x_fill_property_data (dpy, data, ret, format)
+x_fill_property_data (dpy, data, ret, nelements_max, format)
      Display *dpy;
      Lisp_Object data;
      void *ret;
+     int nelements_max;
      int format;
 {
   long val;
   long  *d32 = (long  *) ret;
   short *d16 = (short *) ret;
   char  *d08 = (char  *) ret;
+  int nelements;
   Lisp_Object iter;
 
-  for (iter = data; CONSP (iter); iter = XCDR (iter))
+  for (iter = data, nelements = 0;
+       CONSP (iter) && nelements < nelements_max;
+       iter = XCDR (iter), nelements++)
     {
       Lisp_Object o = XCAR (iter);
 
@@ -2883,7 +2889,10 @@ are ignored.  */)
 
 
   memset (event.xclient.data.b, 0, sizeof (event.xclient.data.b));
+
+  /* event.xclient.data can hold 20 chars, 10 shorts, or 5 longs.  */
   x_fill_property_data (dpyinfo->display, values, event.xclient.data.b,
+                        5 * 32 / event.xclient.format,
                         event.xclient.format);
 
   /* If event mask is 0 the event is sent to the client that created
diff --git a/src/xterm.h b/src/xterm.h
index 13b0b49..968ead7 100644
--- a/src/xterm.h
+++ b/src/xterm.h
@@ -19,6 +19,8 @@ along with GNU Emacs; see the file COPYING.  If not, write to
 the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
 Boston, MA 02110-1301, USA.  */
 
+/* Modified on 2016-05-08 by Kalle Olavi Niemitalo.  */
+
 #include <X11/Xlib.h>
 #include <X11/cursorfont.h>
 
@@ -1032,6 +1034,7 @@ extern int x_check_property_data P_ ((Lisp_Object));
 extern void x_fill_property_data P_ ((Display *,
                                       Lisp_Object,
                                       void *,
+                                      int,
                                       int));
 extern Lisp_Object x_property_data_to_lisp P_ ((struct frame *,
                                                 unsigned char *,
-- 
2.1.4

bug#23482: [PATCH 22.1] Fix buffer overflow in x-send-client-message (Bug#23482).

[Lars Ingebrigtsen]

Kalle Olavi Niemitalo <kon@iki.fi> writes:

> The docstring already said that excessive values are ignored,
> but they instead overflowed the buffer.
>
> This does not seem a security vulnerability though, because Emacs fully
> trusts Emacs Lisp code, and if some Emacs Lisp code sends client
> messages based on untrusted data, then that's already a bug of its own.
>
> 2016-05-08  Kalle Olavi Niemitalo  <kon@iki.fi>
>
> 	* xselect.c (x_fill_property_data): Add parameter NELEMENTS_MAX.
> 	* xterm.h (x_fill_property_data): Update prototype.
> 	* xselect.c (Fx_send_client_event): Update call.  This fixes
> 	  a buffer overflow in event.xclient.data.
> 	* xfns.c (Fx_change_window_property): Update call.

Sorry; it doesn't seem like you got a response to this patch at the
time.

To recap: The following will crash Emacs, so don't eval it:

(x-send-client-message nil nil nil "foo" 32 (make-list 100 0))

I can confirm that this problem is still present in Emacs 28, and that
Kalle's patch fixes it.  It looks pretty straight-forward, but does
anybody have any comments here?  I've included the re-spun patch for
Emacs 28 below.

> This patch is for Emacs 22.1 and includes the prominent notices
> required by clause 2a of GPLv2. 

I'm not sure what that means?

> I do not intend to assign copyright to the FSF.

It's less than ten lines, so that shouldn't be necessary.

diff --git a/src/xfns.c b/src/xfns.c
index 09dcbbfb92..0203c1324f 100644
--- a/src/xfns.c
+++ b/src/xfns.c
@@ -5890,7 +5890,8 @@ DEFUN ("x-change-window-property", Fx_change_window_property,
       elsize = element_format == 32 ? sizeof (long) : element_format >> 3;
       data = xnmalloc (nelements, elsize);
 
-      x_fill_property_data (FRAME_X_DISPLAY (f), value, data, element_format);
+      x_fill_property_data (FRAME_X_DISPLAY (f), value, data, nelements,
+                            element_format);
     }
   else
     {
diff --git a/src/xselect.c b/src/xselect.c
index 48d6215a7b..5234bccbd9 100644
--- a/src/xselect.c
+++ b/src/xselect.c
@@ -2276,23 +2276,28 @@ x_check_property_data (Lisp_Object data)
 
    DPY is the display use to look up X atoms.
    DATA is a Lisp list of values to be converted.
-   RET is the C array that contains the converted values.  It is assumed
-   it is big enough to hold all values.
+   RET is the C array that contains the converted values.
+   NELEMENTS_MAX is the number of values that will fit in RET.
+   Any excess values in DATA are ignored.
    FORMAT is 8, 16 or 32 and denotes char/short/long for each C value to
    be stored in RET.  Note that long is used for 32 even if long is more
    than 32 bits (see man pages for XChangeProperty, XGetWindowProperty and
    XClientMessageEvent).  */
 
 void
-x_fill_property_data (Display *dpy, Lisp_Object data, void *ret, int format)
+x_fill_property_data (Display *dpy, Lisp_Object data, void *ret,
+		      int nelements_max, int format)
 {
   unsigned long val;
   unsigned long  *d32 = (unsigned long  *) ret;
   unsigned short *d16 = (unsigned short *) ret;
   unsigned char  *d08 = (unsigned char  *) ret;
+  int nelements;
   Lisp_Object iter;
 
-  for (iter = data; CONSP (iter); iter = XCDR (iter))
+  for (iter = data, nelements = 0;
+       CONSP (iter) && nelements < nelements_max;
+       iter = XCDR (iter), nelements++)
     {
       Lisp_Object o = XCAR (iter);
 
@@ -2593,7 +2598,9 @@ x_send_client_event (Lisp_Object display, Lisp_Object dest, Lisp_Object from,
   event.xclient.window = to_root ? FRAME_OUTER_WINDOW (f) : wdest;
 
   memset (event.xclient.data.l, 0, sizeof (event.xclient.data.l));
+  /* event.xclient.data can hold 20 chars, 10 shorts, or 5 longs.  */
   x_fill_property_data (dpyinfo->display, values, event.xclient.data.b,
+                        5 * 32 / event.xclient.format,
                         event.xclient.format);
 
   /* If event mask is 0 the event is sent to the client that created
diff --git a/src/xterm.h b/src/xterm.h
index bc10043c54..db8d584781 100644
--- a/src/xterm.h
+++ b/src/xterm.h
@@ -1207,6 +1207,7 @@ x_mutable_colormap (Visual *visual)
 extern void x_fill_property_data (Display *,
                                   Lisp_Object,
                                   void *,
+				  int,
                                   int);
 extern Lisp_Object x_property_data_to_lisp (struct frame *,
                                             const unsigned char *,

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#23482: [PATCH 22.1] Fix buffer overflow in x-send-client-message (Bug#23482).

[Kalle Olavi Niemitalo]

[-- Attachment #1: Type: text/plain, Size: 444 bytes --]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> Kalle Olavi Niemitalo <kon@iki.fi> writes:
>
>> This patch is for Emacs 22.1 and includes the prominent notices
>> required by clause 2a of GPLv2. 
>
> I'm not sure what that means?

The paragraph refers to this comment, which I added to the
"modified files" src/xterm.h and src/xselect.c in my fork and
included in the patch:

/* Modified on 2016-05-08 by Kalle Olavi Niemitalo.  */

[-- Attachment #2: Type: application/pgp-signature, Size: 180 bytes --]

bug#23482: [PATCH 22.1] Fix buffer overflow in x-send-client-message (Bug#23482).

[Lars Ingebrigtsen]

Kalle Olavi Niemitalo <kon@iki.fi> writes:

>>> This patch is for Emacs 22.1 and includes the prominent notices
>>> required by clause 2a of GPLv2. 
>>
>> I'm not sure what that means?
>
> The paragraph refers to this comment, which I added to the
> "modified files" src/xterm.h and src/xselect.c in my fork and
> included in the patch:
>
> /* Modified on 2016-05-08 by Kalle Olavi Niemitalo.  */

OK, I see.

Anyway, thanks for the patch, I'm applying it to Emacs 28.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no