From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.bugs Subject: bug#68421: Possible use after free in w32notify.c Date: Sat, 13 Jan 2024 01:49:36 -0600 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="000000000000c18887060ecf053c" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="16576"; mail-complaints-to="usenet@ciao.gmane.io" To: 68421@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Jan 13 08:50:35 2024 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rOYmo-0004CB-Tt for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 13 Jan 2024 08:50:34 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rOYmL-00065K-SS; Sat, 13 Jan 2024 02:50:05 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rOYmK-00065C-12 for bug-gnu-emacs@gnu.org; Sat, 13 Jan 2024 02:50:04 -0500 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rOYmJ-0003VY-Mm for bug-gnu-emacs@gnu.org; Sat, 13 Jan 2024 02:50:03 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rOYmH-0003Qc-QS for bug-gnu-emacs@gnu.org; Sat, 13 Jan 2024 02:50:01 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Kangas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 13 Jan 2024 07:50:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 68421 X-GNU-PR-Package: emacs X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.170513219313152 (code B ref -1); Sat, 13 Jan 2024 07:50:01 +0000 Original-Received: (at submit) by debbugs.gnu.org; 13 Jan 2024 07:49:53 +0000 Original-Received: from localhost ([127.0.0.1]:38303 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rOYm6-0003Pz-N6 for submit@debbugs.gnu.org; Sat, 13 Jan 2024 02:49:53 -0500 Original-Received: from lists.gnu.org ([2001:470:142::17]:60778) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rOYm1-0003Ph-4f for submit@debbugs.gnu.org; Sat, 13 Jan 2024 02:49:49 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rOYlx-00064L-3x for bug-gnu-emacs@gnu.org; Sat, 13 Jan 2024 02:49:41 -0500 Original-Received: from mail-wm1-x333.google.com ([2a00:1450:4864:20::333]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rOYlv-0003Ax-K3 for bug-gnu-emacs@gnu.org; Sat, 13 Jan 2024 02:49:40 -0500 Original-Received: by mail-wm1-x333.google.com with SMTP id 5b1f17b1804b1-40e68dc8c2fso7380405e9.2 for ; Fri, 12 Jan 2024 23:49:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705132178; x=1705736978; darn=gnu.org; h=to:subject:message-id:date:mime-version:from:from:to:cc:subject :date:message-id:reply-to; bh=uDqn+1qiu3bWq+dBuV1upc1BLi1WMCV6QIxjZoyUSmA=; b=PBasMxYLXHPZHIXN+550awxD7GvWZiPCl2lV6acBif7ttxOO53skfNWXuZc/mL+TFS qi2aWclVYKHvu/1mD6EAw6P3q/UszIi7QOY8rXFqhcNXuzLr8NLYCPUNLrr4i1amQuiF rvwlqkIH8HbjrABdCjnrkpBtIlwyg5Y25GCpsQpq6sgTdSUkP2i/PByn/M/BkrSK1BQq SGFJ2faGjsExvM8Qq3JhtDk2zftQ1Z5MWqZpkOL4hDZFanL+WK/QF5uwiwVfJCctHD1x N7Gp+EzaTFcUgOChhgxAv8aNuAdIXfIkDbR7k83s3SuZPuhpbKsTUys8giY9td2d1/dw iRsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705132178; x=1705736978; h=to:subject:message-id:date:mime-version:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=uDqn+1qiu3bWq+dBuV1upc1BLi1WMCV6QIxjZoyUSmA=; b=RJ4qzgwDE8w/8MvSFqDpS01wVxPQqZGMdnV7HrLnfbb67SvwPGcQ4a3XUiHm2vmxpa hCy3gw7sjtoNLdBNPQw0AXkxxDbSiC2SP6Be6qOZxT1Qj1L8bnkxuHU7CtO60jxqsHVH cVpjmYOmYssrFZds5nBSmyOju+kU59o1XHoqFOowBdceubPHeUSFEvbEpFilp8Vyu2IW 52eKQS8b+6Cc68mg947XoKbnvpe+D3Zu7dublTuTox5LRdLG4yonA+oQIdJP6FtvzuvK gXbrGmJ8DUnhiJDB/m0T5XPAqSKt64zFSzFZU7MEn+h4goeCzlZTjvf72TBQmPFoD00J fpaQ== X-Gm-Message-State: AOJu0YzuJwggKMLdChaagC5qmbNlNE1X3wRhOhkfBZV1fOSnDYDI5Qcp 3G2hSRbQNxILotuH5BkwHl2aQHOK1i4yvfdW/s3qUu3g X-Google-Smtp-Source: AGHT+IGn4bCX3/VVofQzuuP45bEd5hXH76eJF2GzJyQOHnVfVOBAAy8QGsXlqPmqEuilUJeX1nYtPLPAmAovkAQRj9A= X-Received: by 2002:a05:600c:5010:b0:40e:6d68:432f with SMTP id n16-20020a05600c501000b0040e6d68432fmr215560wmr.42.1705132177835; Fri, 12 Jan 2024 23:49:37 -0800 (PST) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Sat, 13 Jan 2024 01:49:36 -0600 Received-SPF: pass client-ip=2a00:1450:4864:20::333; envelope-from=stefankangas@gmail.com; helo=mail-wm1-x333.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:278099 Archived-At: --000000000000c18887060ecf053c Content-Type: text/plain; charset="UTF-8" Could someone familiar with w32notify.c look over the attached patch? It looks like we are trying to dereference NULL in add_watch, and returning an already freed value from start_watching. --000000000000c18887060ecf053c Content-Type: text/x-diff; charset="US-ASCII"; name="w32notify-ub.diff" Content-Disposition: attachment; filename="w32notify-ub.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: 115090e90f742961_0.1 ZGlmZiAtLWdpdCBhL3NyYy93MzJub3RpZnkuYyBiL3NyYy93MzJub3RpZnkuYwppbmRleCA5Zjhh NjJhMWRhYS4uYzkzZTg3OTZmZTIgMTAwNjQ0Ci0tLSBhL3NyYy93MzJub3RpZnkuYworKysgYi9z cmMvdzMybm90aWZ5LmMKQEAgLTM1MCw2ICszNTAsNyBAQCBzdGFydF93YXRjaGluZyAoY29uc3Qg Y2hhciAqZmlsZSwgSEFORExFIGhkaXIsIEJPT0wgc3ViZGlycywgRFdPUkQgZmxhZ3MpCiAgICAg ICB4ZnJlZSAoZGlyd2F0Y2gtPmlvX2luZm8pOwogICAgICAgeGZyZWUgKGRpcndhdGNoLT53YXRj aGVlKTsKICAgICAgIHhmcmVlIChkaXJ3YXRjaCk7CisgICAgICByZXR1cm4gTlVMTDsKICAgICB9 CiAgIHJldHVybiBkaXJ3YXRjaDsKIH0KQEAgLTQxMiwxMCArNDEzLDcgQEAgYWRkX3dhdGNoIChj b25zdCBjaGFyICpwYXJlbnRfZGlyLCBjb25zdCBjaGFyICpmaWxlLCBCT09MIHN1YmRpcnMsIERX T1JEIGZsYWdzKQogICAgIHJldHVybiBOVUxMOwogCiAgIGlmICgoZGlyd2F0Y2ggPSBzdGFydF93 YXRjaGluZyAoZmlsZSwgaGRpciwgc3ViZGlycywgZmxhZ3MpKSA9PSBOVUxMKQotICAgIHsKLSAg ICAgIENsb3NlSGFuZGxlIChoZGlyKTsKLSAgICAgIGRpcndhdGNoLT5kaXIgPSBOVUxMOwotICAg IH0KKyAgICBDbG9zZUhhbmRsZSAoaGRpcik7CiAKICAgcmV0dXJuIGRpcndhdGNoOwogfQo= --000000000000c18887060ecf053c--