From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Bruno Haible Newsgroups: gmane.emacs.bugs Subject: bug#62039: Emacs crashes while parsing a long Emacs Lisp string Date: Tue, 07 Mar 2023 22:51:58 +0100 Message-ID: <5401235.PpUMLH0tvb@nimes> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="nextPart3618741.tvv3v5Dze1" Content-Transfer-Encoding: 7Bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="14215"; mail-complaints-to="usenet@ciao.gmane.io" To: 62039@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Mar 07 22:53:37 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pZfFX-0003W0-Hs for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 07 Mar 2023 22:53:35 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pZfFL-0001sU-J8; Tue, 07 Mar 2023 16:53:23 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZfF3-0001pw-DE for bug-gnu-emacs@gnu.org; Tue, 07 Mar 2023 16:53:08 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pZfF0-0005f1-38 for bug-gnu-emacs@gnu.org; Tue, 07 Mar 2023 16:53:05 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pZfEz-0007eW-Pb for bug-gnu-emacs@gnu.org; Tue, 07 Mar 2023 16:53:01 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Bruno Haible Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 07 Mar 2023 21:53:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 62039 X-GNU-PR-Package: emacs X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.167822592629336 (code B ref -1); Tue, 07 Mar 2023 21:53:01 +0000 Original-Received: (at submit) by debbugs.gnu.org; 7 Mar 2023 21:52:06 +0000 Original-Received: from localhost ([127.0.0.1]:47313 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pZfE5-0007d6-ND for submit@debbugs.gnu.org; Tue, 07 Mar 2023 16:52:05 -0500 Original-Received: from lists.gnu.org ([209.51.188.17]:46588) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pZfE3-0007cy-W7 for submit@debbugs.gnu.org; Tue, 07 Mar 2023 16:52:04 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZfE3-0001Lt-JQ for bug-gnu-emacs@gnu.org; Tue, 07 Mar 2023 16:52:03 -0500 Original-Received: from mo4-p00-ob.smtp.rzone.de ([85.215.255.20]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZfE1-0005Xs-Cp for bug-gnu-emacs@gnu.org; Tue, 07 Mar 2023 16:52:03 -0500 ARC-Seal: i=1; a=rsa-sha256; t=1678225918; cv=none; d=strato.com; s=strato-dkim-0002; b=iY4fQcQXv3JAwj10Ar103jJofKScVQOzux6cZhuY9kdHdGOOlBkFWzfwgKKy3Jm0JT zm+eDkQJGWvr8mIJPGEZlWinPF7clEA4e7NQF+8ddtFw4SpGxP+NIqeAxaXfjWuZibMU c6whQJUB9MWB1ooq85D/E/oxOmyy7zVcPytAdUSqRZ4i0E3Wyg7kv16FNBzEnQ/EyD/V 2v7e0mz+IwaEb0h2XmJ1IS1zuHWjpYJ8VS11yvUpr50eeSC5F/I+nQjORwUR07JB5Qut PyOF+zfgJu82Tl4+TBx44oqopOTQqip4ib0SXLRMiEneqNxDsCJ9PdsPpRDLfnsnvb9x MlBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; t=1678225918; s=strato-dkim-0002; d=strato.com; h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender; bh=kLLDj05Dr479mN02rq7NsoCJiBA/5Twh4HMhBJ/M3jM=; b=rMco/2W/4DQEdF8Q7PH+Wvddnt9J0sUbaBIBptw7D4ZYjzk49UsAT6zmI+YSelYiXQ TkhcKGSwgktcIny3NN9RWulHIk5yYCCkfKrQkujSLyK1UnvTEAbIjDqwtC0rM6SLEOsj vT58S7zumwwidPndhlXvwjl6PE9xSH4k9ax14Mj1oc3bI1RJs08QpfNmWAzfNusaadPz b76Muvo0WqTjXSMeMjiudR5pkT0rnaSBIwGw67qy9hncONjM0DEac2i1ObkuqQUm8Cuy MoSMvoutzxeSL/jHhHjyokG5ZerHm4Davan8/mxs0BSk/ndJVp98vmccn3IIIJBfdRvp CQ/g== ARC-Authentication-Results: i=1; strato.com; arc=none; dkim=none X-RZG-CLASS-ID: mo00 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1678225918; s=strato-dkim-0002; d=clisp.org; h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender; bh=kLLDj05Dr479mN02rq7NsoCJiBA/5Twh4HMhBJ/M3jM=; b=oHegspyN2bS7Y5FJbM6CGR6VrIJFz9QUotMz8FwA+9Fr3FoN++IkwdC4N3cD5362k8 5tFhGg5+ZKNN0zbZxwSzco0EAMu/w+JrsnZ8AyroPyJVEzsTKOTBHrqejntIMcLR8WVd Av6g/ya1jQJGAWSw4g0ukV5Wzlx17IKrntG6/HmqGORR934bzRFaP32Lpb4lgYIcYzXW 2bQrqBKW/2jOXAEERp7Qnz+IUbsdflzhGlikDW56FDrSOUM1/gFtIuq43l5gdZAv0881 vE/YsNAEd8U66xDlfS0bo6lyAbuQVPcr1Ot6Y81F4HkOw9JzDAiKDBMYhqooRcMwtnqd JHCQ== X-RZG-AUTH: ":Ln4Re0+Ic/6oZXR1YgKryK8brlshOcZlIWs+iCP5vnk6shH0WWb0LN8XZoH94zq68+3cfpOS3fFrz+Ge84VQq/IAw45VSGM0YQ==" Original-Received: from nimes.localnet by smtp.strato.de (RZmta 49.3.0 AUTH) with ESMTPSA id Yddb27z27LpwraR (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Tue, 7 Mar 2023 22:51:58 +0100 (CET) Received-SPF: none client-ip=85.215.255.20; envelope-from=bruno@clisp.org; helo=mo4-p00-ob.smtp.rzone.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:257503 Archived-At: This is a multi-part message in MIME format. --nextPart3618741.tvv3v5Dze1 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" When parsing a particular long Emacs Lisp string, Emacs crashes. How to reproduce: $ emacs -Q -batch -f batch-byte-compile foo.el Segmentation fault Find attached the compressed file foo.el. Emacs version: 27.1 Platform: x86_64-linux-gnu $ ulimit -a | grep stack stack size (kbytes, -s) 8192 According to the documentation https://www.gnu.org/software/emacs/manual/html_node/emacs/Bug-Criteria.html any segmentation fault is a bug. I haven't analyzed the security impact of this bug, but it is quite possible that emacs receives a string through the network, and even though the string is not meant to be evaluated, simply parsing it causes a denial-of-service to the emacs user. The cause of the bug is that in emacs/src/lread.c the function read_escape() is recursive, and no bound on the recursion depth is enforced. --nextPart3618741.tvv3v5Dze1 Content-Disposition: attachment; filename="foo.el.gz" Content-Transfer-Encoding: base64 Content-Type: application/gzip; name="foo.el.gz" H4sICM6tB2QCA2Zvby5lbADtwjENAAAIA7AfGdNFePDvASE0bXoAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAH7b1AFbfYdzBKAPAA== --nextPart3618741.tvv3v5Dze1--