From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#63063: CVE-2021-36699 report Date: Tue, 25 Apr 2023 12:09:19 +0300 Message-ID: <83a5ywwcow.fsf@gnu.org> References: <40-63e3c600-3-2d802d00@111202636> <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com> <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com> <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com> <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com> Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="21446"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 63063@debbugs.gnu.org, fuo@fuo.fi To: Po Lu Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Apr 25 11:10:32 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1prEgx-0005Ql-Ux for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 25 Apr 2023 11:10:31 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1prEgr-0002B3-Vq; Tue, 25 Apr 2023 05:10:26 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1prEgV-00026k-3s for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 05:10:05 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1prEgU-0002vn-6E for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 05:10:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1prEgT-0005KX-KT for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 05:10:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 25 Apr 2023 09:10:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63063 X-GNU-PR-Package: emacs Original-Received: via spool by 63063-submit@debbugs.gnu.org id=B63063.168241375220423 (code B ref 63063); Tue, 25 Apr 2023 09:10:01 +0000 Original-Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 09:09:12 +0000 Original-Received: from localhost ([127.0.0.1]:51231 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1prEff-0005JL-Fp for submit@debbugs.gnu.org; Tue, 25 Apr 2023 05:09:11 -0400 Original-Received: from eggs.gnu.org ([209.51.188.92]:40676) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1prEfT-0005Ij-S7 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 05:09:10 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1prEfO-0002rX-AZ; Tue, 25 Apr 2023 05:08:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=6MfWPJZ7+abmbHiEod/sbd09AKtx8s5e9emnkoGVPSw=; b=RRUFiJUd40Xn Fymv/g6Py7X8XSbnoHiNf0uTqrXwon1GGJWpb9aDXXwFPEagwYEll0FKfKpQVacUEhMdymcCgzndl LsdPWBYQvyoZkMYGZxt+VjCrUpfsyKyQXcecBXsgfeRr2JJVz8CW9n3/71XnEWr0YZXN4oPXkNy1s mAP3XE3mFL1Msw2hMflsIIcXFBb0mDaUob19JIq5EWMiU3SX1sHwqbclZZN0a4XuBMovmHiC/xCE2 CTieSeYD2C/v50QWB0iaVcOI7sqOQawzkfMqe2HCK/Nw5/Hn8ruIyX6EQwPmh/v+nXP4sxTFtvaPl Pgb0AXbq9VEcRc51h7HBxg==; Original-Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1prEfN-0001fo-KB; Tue, 25 Apr 2023 05:08:53 -0400 In-Reply-To: <87r0s8cq6c.fsf@yahoo.com> (message from Po Lu on Tue, 25 Apr 2023 16:38:19 +0800) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:260606 Archived-At: > From: Po Lu > Cc: fuo@fuo.fi, 63063@debbugs.gnu.org > Date: Tue, 25 Apr 2023 16:38:19 +0800 > > The protection fault is in `dump_do_emacs_relocation'. When the dump > file contains a relocation with an offset outside the heap: > > lv = make_lisp_ptr (obj_ptr, reloc.length); > memcpy (emacs_ptr_at (reloc.emacs_offset), &lv, sizeof (lv)); > > will end up copying outside the heap. Thanks, but that seems to be unrelated to the code to which the OP pointed. Are you sure it's the same problem? Also, writing outside of the process's address space will indeed cause protection fault and SIGSEGV, not a buffer-overflow type of problem that can be exploited for executing some arbitrary code. So I'm not sure I see why is this a security issue? emacs_ptr_at has this comment: /* TODO: assert somehow that the result is actually in the Emacs image. */ Can we assure that in some reasonable way? We have valid_pointer_p, but that's too expensive, I think.