Avoiding arbitrary code execution with macroexpansion

unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed

* Avoiding arbitrary code execution with macroexpansion
@ 2018-08-15 21:52 Wilfred Hughes
  2018-08-16 20:52 ` Paul Eggert
  2018-08-20  3:04 ` Richard Stallman
  0 siblings, 2 replies; 5+ messages in thread
From: Wilfred Hughes @ 2018-08-15 21:52 UTC (permalink / raw)
  To: emacs-devel

Hi emacs-devel

Today I realised that macroexpand-all isn't safe to call on arbitrary elisp:

(macroexpand-all '(eval-when-compile (debug)))

Using a macro that calls eval, such as eval-when-compile,
eval-and-compile, c-lang-defconst-eval-immediately (undoubtedly others
too), means anything can happen at macroexpansion time.

Unfortunately, some emacs packages assume this is a safe thing to do.
I used to think so, because macroexpand-all only executes macros that
are loaded (and therefore trusted) in the current Emacs instance.
Macros that eval code break this.

Even elisp-mode.el assumes this:

(let ((fooo (eval-when-compile (progn (debug)))))
  foo ;; <- put point here and M-x completion-at-point
  )

This means that I can get arbitrary code execution by you opening and
calling code completion a maliciously crafted elisp file!

Is this a security bug in Emacs?

In any case, is there a safe way to do macroexpansion? The best I can
think of is this:

(let ((macro-whitelist '(when pcase))
      all-macros
      safe-env)
  (mapatoms
   (lambda (sym)
     (when (macrop sym)
       (push sym all-macros))))
  (mapc
   (lambda (sym)
     (unless (memq sym macro-whitelist)
       (push (cons sym (symbol-function 'ignore))
             safe-env)))
   all-macros)

  (macroexpand-all
   arbitrary-form-here
   safe-env))

Thanks
Wilfred

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Avoiding arbitrary code execution with macroexpansion
  2018-08-15 21:52 Avoiding arbitrary code execution with macroexpansion Wilfred Hughes
@ 2018-08-16 20:52 ` Paul Eggert
  2018-08-20  3:04 ` Richard Stallman
  1 sibling, 0 replies; 5+ messages in thread
From: Paul Eggert @ 2018-08-16 20:52 UTC (permalink / raw)
  To: Wilfred Hughes, emacs-devel

Wilfred Hughes wrote:
> This means that I can get arbitrary code execution by you opening and
> calling code completion a maliciously crafted elisp file!
> 
> Is this a security bug in Emacs?

Sounds like it. I suggest constructing a complete, self-contained and hopefully 
easy way to reproduce the problem with emacs -Q, and sending it in a bug report 
to bug-gnu-emacs@gnu.org. Thanks.



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Avoiding arbitrary code execution with macroexpansion
  2018-08-15 21:52 Avoiding arbitrary code execution with macroexpansion Wilfred Hughes
  2018-08-16 20:52 ` Paul Eggert
@ 2018-08-20  3:04 ` Richard Stallman
  2018-08-22  0:15   ` Wilfred Hughes
  1 sibling, 1 reply; 5+ messages in thread
From: Richard Stallman @ 2018-08-20  3:04 UTC (permalink / raw)
  To: Wilfred Hughes; +Cc: emacs-devel

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > Using a macro that calls eval, such as eval-when-compile,
  > eval-and-compile, c-lang-defconst-eval-immediately (undoubtedly others
  > too), means anything can happen at macroexpansion time.

Can we make macroexpand detect these cases and give an error?
It would have to do a codewalk on the macro definition,
but that is doable.

Perhaps doing an flet of eval and apply would work.

-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Avoiding arbitrary code execution with macroexpansion
  2018-08-20  3:04 ` Richard Stallman
@ 2018-08-22  0:15   ` Wilfred Hughes
  2018-08-22 23:57     ` Richard Stallman
  0 siblings, 1 reply; 5+ messages in thread
From: Wilfred Hughes @ 2018-08-22  0:15 UTC (permalink / raw)
  To: rms, Paul Eggert; +Cc: emacs-devel

> Sounds like it. I suggest constructing a complete, self-contained and hopefully easy way to reproduce
> the problem with emacs -Q, and sending it in a bug report to bug-gnu-emacs@gnu.org. Thanks.

Done, #32495.

> Perhaps doing an flet of eval and apply would work.

I tried that, but it would require using flet with every function that
can evaluate code directly (i.e. doesn't itself call eval). I'm not
sure of the full list. I tried this:

(cl-letf (((symbol-function 'eval) #'ignore)
          ((symbol-function 'eval-region) #'ignore)
          ((symbol-function 'eval-buffer) #'ignore)
          ((symbol-function 'backtrace-eval) #'ignore))
  (macroexpand-all some-arbitrary-form-here))

but I know this is missing a few functions, such as load and load-file.

On 20 August 2018 at 04:04, Richard Stallman <rms@gnu.org> wrote:
> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
>   > Using a macro that calls eval, such as eval-when-compile,
>   > eval-and-compile, c-lang-defconst-eval-immediately (undoubtedly others
>   > too), means anything can happen at macroexpansion time.
>
> Can we make macroexpand detect these cases and give an error?
> It would have to do a codewalk on the macro definition,
> but that is doable.
>
> Perhaps doing an flet of eval and apply would work.
>
>
> --
> Dr Richard Stallman
> President, Free Software Foundation (https://gnu.org, https://fsf.org)
> Internet Hall-of-Famer (https://internethalloffame.org)
>
>



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Avoiding arbitrary code execution with macroexpansion
  2018-08-22  0:15   ` Wilfred Hughes
@ 2018-08-22 23:57     ` Richard Stallman
  0 siblings, 0 replies; 5+ messages in thread
From: Richard Stallman @ 2018-08-22 23:57 UTC (permalink / raw)
  To: Wilfred Hughes; +Cc: eggert, emacs-devel

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

Perhaps we need a global variable to make it an error to call
any built-in functions that do evaluation.

-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2018-08-22 23:57 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-08-15 21:52 Avoiding arbitrary code execution with macroexpansion Wilfred Hughes
2018-08-16 20:52 ` Paul Eggert
2018-08-20  3:04 ` Richard Stallman
2018-08-22  0:15   ` Wilfred Hughes
2018-08-22 23:57     ` Richard Stallman

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).