From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Paul Eggert <eggert@cs.ucla.edu>
Newsgroups: gmane.emacs.devel
Subject: Re: Preview: portable dumper
Date: Tue, 29 Nov 2016 14:01:35 -0800
Organization: UCLA Computer Science Department
Message-ID: <b5730bfa-fbcb-cb70-0ed8-8546e2f704ac@cs.ucla.edu>
References: <047a67ec-9e29-7e4e-0fb0-24c3e59b5886@dancol.org>
	<jwvpolfjkdo.fsf-monnier+gmane.emacs.devel@gnu.org>
	<r025fumbgpnx.fsf@dancol.org> <jwv8ts2moer.fsf-monnier+emacs@gnu.org>
	<r025y4026l1i.fsf@dancol.org>
	<9b6a0571-b2ae-a5dd-a643-3595e8f71cd6@cs.ucla.edu>
	<r025oa0y6jml.fsf@dancol.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: blaine.gmane.org 1480456972 12952 195.159.176.226 (29 Nov 2016 22:02:52 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Tue, 29 Nov 2016 22:02:52 +0000 (UTC)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Thunderbird/45.4.0
Cc: emacs-devel@gnu.org
To: Daniel Colascione <dancol@dancol.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Nov 29 23:02:40 2016
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1cBqTy-00015X-VD
	for ged-emacs-devel@m.gmane.org; Tue, 29 Nov 2016 23:02:35 +0100
Original-Received: from localhost ([::1]:39438 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1cBqU2-0004cX-NP
	for ged-emacs-devel@m.gmane.org; Tue, 29 Nov 2016 17:02:38 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:58724)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eggert@cs.ucla.edu>) id 1cBqT8-0004cN-5x
	for emacs-devel@gnu.org; Tue, 29 Nov 2016 17:01:42 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eggert@cs.ucla.edu>) id 1cBqT5-0007En-3E
	for emacs-devel@gnu.org; Tue, 29 Nov 2016 17:01:42 -0500
Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:44850)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <eggert@cs.ucla.edu>) id 1cBqT4-0007Eb-TB
	for emacs-devel@gnu.org; Tue, 29 Nov 2016 17:01:39 -0500
Original-Received: from localhost (localhost [127.0.0.1])
	by zimbra.cs.ucla.edu (Postfix) with ESMTP id 9856416012B;
	Tue, 29 Nov 2016 14:01:36 -0800 (PST)
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
	by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
	with ESMTP id ukltlqU2YQ79; Tue, 29 Nov 2016 14:01:35 -0800 (PST)
Original-Received: from localhost (localhost [127.0.0.1])
	by zimbra.cs.ucla.edu (Postfix) with ESMTP id E328816012E;
	Tue, 29 Nov 2016 14:01:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
	by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id RzUnKZs5u15u; Tue, 29 Nov 2016 14:01:35 -0800 (PST)
Original-Received: from Penguin.CS.UCLA.EDU (Penguin.CS.UCLA.EDU [131.179.64.200])
	by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id CB09D16012D;
	Tue, 29 Nov 2016 14:01:35 -0800 (PST)
In-Reply-To: <r025oa0y6jml.fsf@dancol.org>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy]
X-Received-From: 131.179.128.68
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:209776
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/209776>

On 11/29/2016 01:50 PM, Daniel Colascione wrote:
> * We do store function pointers in the dump, and an attacker could
>    theoretically overwrite one of these to point where she wanted --- but
>    with all PROT_EXEC code in the process being randomized, where would
>    she point the function pointer that's under her control?

I'm more worried about the next level up. Although the dump is pure data 
to the machine, it's not pure data to Elisp. Since the dump would 
contain bytecodes, if attackers can alter the bytecodes then they can 
execute whatever Elisp code they want.