From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Gerd =?UTF-8?Q?M=C3=B6llmann?= <gerd.moellmann@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#56108: 29.0.50; ASAN use-after-free in re_match_2_internal
Date: Mon, 20 Jun 2022 16:07:55 +0200
Message-ID: <m235fz5sxw.fsf@Mini.fritz.box>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="14336"; mail-complaints-to="usenet@ciao.gmane.io"
To: 56108@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Jun 20 16:10:17 2022
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1o3I6a-0003Zx-Pc
	for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 20 Jun 2022 16:10:16 +0200
Original-Received: from localhost ([::1]:58290 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1o3I6Z-00080H-5D
	for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 20 Jun 2022 10:10:15 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:43302)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1o3I6M-0007wD-GB
 for bug-gnu-emacs@gnu.org; Mon, 20 Jun 2022 10:10:02 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43]:35959)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1o3I6M-0007Jm-4h
 for bug-gnu-emacs@gnu.org; Mon, 20 Jun 2022 10:10:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1o3I6L-0004Y7-R7
 for bug-gnu-emacs@gnu.org; Mon, 20 Jun 2022 10:10:01 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Gerd =?UTF-8?Q?M=C3=B6llmann?= <gerd.moellmann@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Mon, 20 Jun 2022 14:10:01 +0000
Resent-Message-ID: <handler.56108.B.165573414317414@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 56108
X-GNU-PR-Package: emacs
X-Debbugs-Original-To: bug-gnu-emacs@gnu.org
Original-Received: via spool by submit@debbugs.gnu.org id=B.165573414317414
 (code B ref -1); Mon, 20 Jun 2022 14:10:01 +0000
Original-Received: (at submit) by debbugs.gnu.org; 20 Jun 2022 14:09:03 +0000
Original-Received: from localhost ([127.0.0.1]:58089 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1o3I5P-0004Wo-Br
 for submit@debbugs.gnu.org; Mon, 20 Jun 2022 10:09:03 -0400
Original-Received: from lists.gnu.org ([209.51.188.17]:33048)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <gerd.moellmann@gmail.com>) id 1o3I5L-0004WO-V3
 for submit@debbugs.gnu.org; Mon, 20 Jun 2022 10:09:02 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:43218)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <gerd.moellmann@gmail.com>)
 id 1o3I5L-00050u-PM
 for bug-gnu-emacs@gnu.org; Mon, 20 Jun 2022 10:08:59 -0400
Original-Received: from mail-ej1-x629.google.com ([2a00:1450:4864:20::629]:42975)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <gerd.moellmann@gmail.com>)
 id 1o3I5K-0007Fp-0k
 for bug-gnu-emacs@gnu.org; Mon, 20 Jun 2022 10:08:59 -0400
Original-Received: by mail-ej1-x629.google.com with SMTP id g25so21339080ejh.9
 for <bug-gnu-emacs@gnu.org>; Mon, 20 Jun 2022 07:08:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; 
 h=from:to:subject:date:message-id:mime-version;
 bh=3jr9eQgGBlsgrSd+eUqa43yXP8ZBlnwbDwBnCJZBFo8=;
 b=i8Blp/NK0AzqxNcbEE9VOF7UoSDLw89IX5OIkCCaPOM7SpzmLiPkTgEZLYHL6b0RV9
 w66uOt/XHOzm8ZuH6rtw7Jc+2c77nIz2EVVE5l6g1NgKFV9NT49ZHKLS9+jr/852ne+i
 vwl5yIotmrDvtkYJN0cZL3FzjJODOtj1x63skbHYTnjzTqdy3j3KFRzC7lEfF2Z13G9R
 G8eciw0X4YU8sewzX9znKxdCzyvGh+/GTMYoPbKedHLCN7FTrGOWzXK3g/zmrXc9Y9/P
 MhJN/F2fzQgFeebaS1U1wAacKKblmjF1CW1XpncDY/nhZuPkzwMwvSdZVOniVlzE04NG
 X+2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:subject:date:message-id:mime-version;
 bh=3jr9eQgGBlsgrSd+eUqa43yXP8ZBlnwbDwBnCJZBFo8=;
 b=qwWeMswjAElQVogHVII7R2m3W68xOg4LtJ6Mwr0CZAA1OyEZOsI90E15GK3D1mK6QE
 mtvEPP10mk+JZApwSmtEKty5CYftiz9C2Kv85bImDWsjwCbCuMqaasS/7hAnBapVBDIG
 y3YwayvTRT8ljCGvjoI1shlkZyfetgibklz4fP3puBOdUH3Inlf0YlK56qwkrUcMzgd4
 IhgAwUezbgYwbUn/jwLmjH7N+j4BhhED36VdsqJNWYKaJfBXZVoUK1PXo1L+4y8azSSE
 pujs/yIgG4zMa2SPNjiVr44x3YQB1IAS2kOUlPvWOiAsnh1iPL/vWDUa6Nrn0SQPMmRM
 /A+g==
X-Gm-Message-State: AJIora/n03iDLjbAeKyBfkBH+oQmlejtJy4h1CNN7CdwcmNmDEkAPmCE
 VqxDiZ6G+7cJ/P0pl5dVUDk4kuveI5yYBw==
X-Google-Smtp-Source: AGRyM1vcXUkJmzzZYC+EK0W5nVIXXEJNuf+QpUZfx2QFutqiDMY/UC1UFVAwCF8pWiqkBVZ3YiyJaA==
X-Received: by 2002:a17:907:1c0b:b0:711:cc52:2920 with SMTP id
 nc11-20020a1709071c0b00b00711cc522920mr21903387ejc.301.1655734135871; 
 Mon, 20 Jun 2022 07:08:55 -0700 (PDT)
Original-Received: from Mini.fritz.box (pd9e3670e.dip0.t-ipconnect.de. [217.227.103.14])
 by smtp.gmail.com with ESMTPSA id
 o15-20020a170906768f00b00722dc6c2e2dsm255943ejm.67.2022.06.20.07.08.53
 for <bug-gnu-emacs@gnu.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 20 Jun 2022 07:08:55 -0700 (PDT)
Received-SPF: pass client-ip=2a00:1450:4864:20::629;
 envelope-from=gerd.moellmann@gmail.com; helo=mail-ej1-x629.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, 
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.bugs:234899
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/234899>

FWIW, here is another non-reproducible crash with ASAN.

In short, shrink_regexp_cache realloc'd something leading to a malloc +
free, and something is still holding a pointer the old memory.  Or so it
looks to me.

=22069==ERROR: AddressSanitizer: heap-use-after-free on address 0x000105b493a5 at pc 0x00010057549c bp 0x00016fde0b90 sp 0x00016fde0b88
READ of size 1 at 0x000105b493a5 thread T0
    #0 0x100575498 in re_match_2_internal regex-emacs.c:5021
    #1 0x100568c38 in rpl_re_search_2 regex-emacs.c:3382
    #2 0x1005678c4 in rpl_re_search regex-emacs.c:3176
    #3 0x10054cc68 in fast_string_match_internal search.c:489
    #4 0x1004f20b0 in fast_string_match lisp.h:4747
    #5 0x1004f1b28 in Ffind_file_name_handler fileio.c:324
    #6 0x1004f82d4 in Fexpand_file_name fileio.c:1018
    #7 0x1006ddc50 in openp lread.c:1849
    #8 0x1006dae98 in Fload lread.c:1312
    #9 0x1006e3c64 in save_match_data_load lread.c:1641
    #10 0x1006408d0 in load_with_autoload_queue eval.c:2245
    #11 0x100677534 in Frequire fns.c:3146

0x000105b493a5 is located 293 bytes inside of 558-byte region [0x000105b49280,0x000105b494ae)
freed by thread T0 here:
    #0 0x1031c7ddc in wrap_realloc+0x9c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3fddc)
    #1 0x100598388 in lrealloc alloc.c:1376
    #2 0x1005982c4 in xrealloc alloc.c:790
    #3 0x10054a490 in shrink_regexp_cache search.c:150
    #4 0x1005aaeb0 in garbage_collect alloc.c:6172
    #5 0x1005aa6cc in maybe_garbage_collect alloc.c:6088
    #6 0x1006416c0 in maybe_gc lisp.h:5548
    #7 0x10063a99c in Ffuncall eval.c:2948
    #8 0x10064a144 in funcall_nil eval.c:2635
    #9 0x10064a0b4 in run_hook_with_args eval.c:2812
    #10 0x100649b84 in Frun_hook_with_args eval.c:2677
    #11 0x100649ad0 in run_hook eval.c:2825
    #12 0x1004da650 in signal_before_change insdel.c:2155
    #13 0x1004d9c40 in prepare_to_modify_buffer_1 insdel.c:2009
    #14 0x1004c810c in prepare_to_modify_buffer insdel.c:2020
    #15 0x1005081ec in Finsert_file_contents fileio.c:4601
    #16 0x10064b758 in funcall_subr eval.c:2999
    #17 0x10072fa40 in exec_byte_code bytecode.c:809
    #18 0x10065361c in fetch_and_exec_byte_code eval.c:3040
    #19 0x10064c344 in funcall_lambda eval.c:3112
    #20 0x10064ac18 in funcall_general eval.c:2903
    #21 0x10063aa70 in Ffuncall eval.c:2953
    #22 0x100643c0c in Fapply eval.c:2577
    #23 0x10064bde0 in funcall_subr eval.c:3018
    #24 0x10072fa40 in exec_byte_code bytecode.c:809
    #25 0x10065361c in fetch_and_exec_byte_code eval.c:3040
    #26 0x10064c344 in funcall_lambda eval.c:3112
    #27 0x1006437c0 in apply_lambda eval.c:3062
    #28 0x100633734 in eval_sub eval.c:2503
    #29 0x100640ef8 in Feval eval.c:2314

previously allocated by thread T0 here:
    #0 0x1031c7ddc in wrap_realloc+0x9c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3fddc)
    #1 0x100598388 in lrealloc alloc.c:1376
    #2 0x1005982c4 in xrealloc alloc.c:790
    #3 0x10054a490 in shrink_regexp_cache search.c:150