* Avoiding arbitrary code execution with macroexpansion
@ 2018-08-15 21:52 Wilfred Hughes
2018-08-16 20:52 ` Paul Eggert
2018-08-20 3:04 ` Richard Stallman
0 siblings, 2 replies; 5+ messages in thread
From: Wilfred Hughes @ 2018-08-15 21:52 UTC (permalink / raw)
To: emacs-devel
Hi emacs-devel
Today I realised that macroexpand-all isn't safe to call on arbitrary elisp:
(macroexpand-all '(eval-when-compile (debug)))
Using a macro that calls eval, such as eval-when-compile,
eval-and-compile, c-lang-defconst-eval-immediately (undoubtedly others
too), means anything can happen at macroexpansion time.
Unfortunately, some emacs packages assume this is a safe thing to do.
I used to think so, because macroexpand-all only executes macros that
are loaded (and therefore trusted) in the current Emacs instance.
Macros that eval code break this.
Even elisp-mode.el assumes this:
(let ((fooo (eval-when-compile (progn (debug)))))
foo ;; <- put point here and M-x completion-at-point
)
This means that I can get arbitrary code execution by you opening and
calling code completion a maliciously crafted elisp file!
Is this a security bug in Emacs?
In any case, is there a safe way to do macroexpansion? The best I can
think of is this:
(let ((macro-whitelist '(when pcase))
all-macros
safe-env)
(mapatoms
(lambda (sym)
(when (macrop sym)
(push sym all-macros))))
(mapc
(lambda (sym)
(unless (memq sym macro-whitelist)
(push (cons sym (symbol-function 'ignore))
safe-env)))
all-macros)
(macroexpand-all
arbitrary-form-here
safe-env))
Thanks
Wilfred
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Avoiding arbitrary code execution with macroexpansion
2018-08-15 21:52 Avoiding arbitrary code execution with macroexpansion Wilfred Hughes
@ 2018-08-16 20:52 ` Paul Eggert
2018-08-20 3:04 ` Richard Stallman
1 sibling, 0 replies; 5+ messages in thread
From: Paul Eggert @ 2018-08-16 20:52 UTC (permalink / raw)
To: Wilfred Hughes, emacs-devel
Wilfred Hughes wrote:
> This means that I can get arbitrary code execution by you opening and
> calling code completion a maliciously crafted elisp file!
>
> Is this a security bug in Emacs?
Sounds like it. I suggest constructing a complete, self-contained and hopefully
easy way to reproduce the problem with emacs -Q, and sending it in a bug report
to bug-gnu-emacs@gnu.org. Thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Avoiding arbitrary code execution with macroexpansion
2018-08-15 21:52 Avoiding arbitrary code execution with macroexpansion Wilfred Hughes
2018-08-16 20:52 ` Paul Eggert
@ 2018-08-20 3:04 ` Richard Stallman
2018-08-22 0:15 ` Wilfred Hughes
1 sibling, 1 reply; 5+ messages in thread
From: Richard Stallman @ 2018-08-20 3:04 UTC (permalink / raw)
To: Wilfred Hughes; +Cc: emacs-devel
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> Using a macro that calls eval, such as eval-when-compile,
> eval-and-compile, c-lang-defconst-eval-immediately (undoubtedly others
> too), means anything can happen at macroexpansion time.
Can we make macroexpand detect these cases and give an error?
It would have to do a codewalk on the macro definition,
but that is doable.
Perhaps doing an flet of eval and apply would work.
--
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Avoiding arbitrary code execution with macroexpansion
2018-08-20 3:04 ` Richard Stallman
@ 2018-08-22 0:15 ` Wilfred Hughes
2018-08-22 23:57 ` Richard Stallman
0 siblings, 1 reply; 5+ messages in thread
From: Wilfred Hughes @ 2018-08-22 0:15 UTC (permalink / raw)
To: rms, Paul Eggert; +Cc: emacs-devel
> Sounds like it. I suggest constructing a complete, self-contained and hopefully easy way to reproduce
> the problem with emacs -Q, and sending it in a bug report to bug-gnu-emacs@gnu.org. Thanks.
Done, #32495.
> Perhaps doing an flet of eval and apply would work.
I tried that, but it would require using flet with every function that
can evaluate code directly (i.e. doesn't itself call eval). I'm not
sure of the full list. I tried this:
(cl-letf (((symbol-function 'eval) #'ignore)
((symbol-function 'eval-region) #'ignore)
((symbol-function 'eval-buffer) #'ignore)
((symbol-function 'backtrace-eval) #'ignore))
(macroexpand-all some-arbitrary-form-here))
but I know this is missing a few functions, such as load and load-file.
On 20 August 2018 at 04:04, Richard Stallman <rms@gnu.org> wrote:
> [[[ To any NSA and FBI agents reading my email: please consider ]]]
> [[[ whether defending the US Constitution against all enemies, ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
> > Using a macro that calls eval, such as eval-when-compile,
> > eval-and-compile, c-lang-defconst-eval-immediately (undoubtedly others
> > too), means anything can happen at macroexpansion time.
>
> Can we make macroexpand detect these cases and give an error?
> It would have to do a codewalk on the macro definition,
> but that is doable.
>
> Perhaps doing an flet of eval and apply would work.
>
>
> --
> Dr Richard Stallman
> President, Free Software Foundation (https://gnu.org, https://fsf.org)
> Internet Hall-of-Famer (https://internethalloffame.org)
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Avoiding arbitrary code execution with macroexpansion
2018-08-22 0:15 ` Wilfred Hughes
@ 2018-08-22 23:57 ` Richard Stallman
0 siblings, 0 replies; 5+ messages in thread
From: Richard Stallman @ 2018-08-22 23:57 UTC (permalink / raw)
To: Wilfred Hughes; +Cc: eggert, emacs-devel
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Perhaps we need a global variable to make it an error to call
any built-in functions that do evaluation.
--
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-08-22 23:57 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-08-15 21:52 Avoiding arbitrary code execution with macroexpansion Wilfred Hughes
2018-08-16 20:52 ` Paul Eggert
2018-08-20 3:04 ` Richard Stallman
2018-08-22 0:15 ` Wilfred Hughes
2018-08-22 23:57 ` Richard Stallman
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.