From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Po Lu via "Bug reports for GNU Emacs, the Swiss army knife of text editors" Newsgroups: gmane.emacs.bugs Subject: bug#72245: [PATCH] Fix integer overflow when reading XPM Date: Tue, 23 Jul 2024 23:15:09 +0800 Message-ID: <877cdcxhqa.fsf@yahoo.com> References: <87frs0ydv6.fsf@yahoo.com> <87bk2oyavb.fsf@yahoo.com> Reply-To: Po Lu Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="32090"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: 72245@debbugs.gnu.org To: Stefan Kangas Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Jul 23 17:16:29 2024 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1sWHFd-0008Fs-1V for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 23 Jul 2024 17:16:29 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sWHFG-0006Jl-EN; Tue, 23 Jul 2024 11:16:06 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sWHF8-00068m-EL for bug-gnu-emacs@gnu.org; Tue, 23 Jul 2024 11:15:58 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sWHF7-0002GO-IY for bug-gnu-emacs@gnu.org; Tue, 23 Jul 2024 11:15:58 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sWHFB-0007Ig-Re for bug-gnu-emacs@gnu.org; Tue, 23 Jul 2024 11:16:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Po Lu Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 23 Jul 2024 15:16:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 72245 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 72245-submit@debbugs.gnu.org id=B72245.172174773828024 (code B ref 72245); Tue, 23 Jul 2024 15:16:01 +0000 Original-Received: (at 72245) by debbugs.gnu.org; 23 Jul 2024 15:15:38 +0000 Original-Received: from localhost ([127.0.0.1]:60528 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sWHEo-0007Hw-E1 for submit@debbugs.gnu.org; Tue, 23 Jul 2024 11:15:38 -0400 Original-Received: from sonic305-21.consmr.mail.ne1.yahoo.com ([66.163.185.147]:35508) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sWHEj-0007HZ-Rb for 72245@debbugs.gnu.org; Tue, 23 Jul 2024 11:15:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1721747722; bh=hktThQCtT+ArXKNbgy5uiun40SttM2GVK6m8dgSQF1g=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To; b=uPPcrVRyphn4bz/Pmlcfh/pLhYrlkdSCOR7OHiakJOQJoqx6THm84XBJxUY5T2s2h7IMA2SraMIYEy7aI3aW15xrrM17p02Ie+n5JgncgiCSCAynEvMeB7qEOBmwkid1g+ktQ5w/HUtqTj9/XZvPu0dCuZ2E/cOrxMHf7ZSDoqfc5yg+VWDL/yzjobVoxCzSEsoHNJUYY0tazBIJze5aW5fRPjtZ1mUaAMsEoLe/mWyt+Q7TvY8Wv0HNbH4FfrDL6tVYQhybYydK6lylQkHVAsPR862yS31h+EsOLlRGLN5hHfnV4UVRyktBjKLaDu3MKLnRx0BFXy8Qaf/qvlssUQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1721747722; bh=m4eXZ2TKEgYT/LBM0dJPHfZ0v2rBUn9WCE6SLFPHaFt=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Ym56KSCB9UG0zMXhvjXg+N5PyvetsBOQHHATJ0f333SfWEeKfgiWdhLpvaEcogVoulvfBgozHJNYw4EbZBy3Y99dYO5fA1kuwzOOoe6zdumreXSyrIj4az71aHDA4Y6zvGF/SFKx46+UjpHyZi3S3oDs+zCgEoNpFtrOK+419PqHpp2rH/ij6+smzKrcgGixr+SEvqqkyEiRFgKbbe9suFGq9Dhh16kC5BgV+2ZMMceFcCooX1ySI6VK+Cl9fFJHEBukFX+Bw8G1VrAMQ6/jGGzFGVMDJZQBgelUjKNLDfoeLPIDEmnj8Fl2EOFJLejFAKbfPzo/tYT//mJuJBfSKw== X-YMail-OSG: 126BLc4VM1lZImmUg6yj1.vdCI5Qudk1K62fh7E_8Ook6tJleNt5YRM6tm0ivmt w_dxfTG2XkT1RIueD85bS9zRbLFcBueaO6Lmk0XWMJVRMVxNpubWdHOT0lqh9gSoE56XBkSVGlF0 ZiHx5rzDi599Ng39ykwpXvW7iMU0LQMik9n.nrO7g4U3r_KuivTgSxzSFZQbDnmU2bgEUWTJFE2d _5MMdIo5iX3c37C.UBGGZxeMgv.G3oH_yvmz4gGTYyI8PCdW.D9hx4kSoxxn3f8VFeulu4RvnNFm xA35gc84zPSsW6cXMnJyjnCp.j6XCYzYboZUxsc2vvJlYEHZ8jah1LlLVVwMsP2YYMXtlMPS_8GU 466S1rTfwCT_po9ALLXRMxene1C38ON5IbjBxUY8dkYqE0rWUIRJnBj.205AwvCBkG68y_ysnya2 pFjyrMvcJ3eYKBk2KyX90B3.YkxsWPgbbkNLZoxPJuKLLIAXYKBTYMRPoic.U6K9e7R8kj1SdPDH lkaAzudwQyKSdYnXIbFnS_pHvd9xUv0IhdhYxXmh4wQfvw3WuVn7lVDOgO3Tx79FFFFDMDqWnJl. iCEdv7NLc1pdPtmqz6IP44Mp7xNwqJrXUPfmOO1R.lI9yI_5Ji.RRvV8v9O1QXvWoqvbMUCzPw1g AfL_4Og7WwynqQ4.wmyAtxWJ2s64ofblLm3WJnjW.vwSYQumy0OY9jkSHUAG.quLh5DQB6.aONIo gq_7mmEZk.iVJ6CkXoZg5hUu2.wxFCltulSQyDdskXexo4s.TH3346DvZpqzFuQVIYSCdTZ7_PCN JwhVZKb7_EIU3etKQAR0QDMVcJ_HQMwk3MpnB7jjoz X-Sonic-MF: X-Sonic-ID: 341fc01f-b108-41de-af3c-2db2411f8440 Original-Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.ne1.yahoo.com with HTTP; Tue, 23 Jul 2024 15:15:22 +0000 Original-Received: by hermes--production-sg3-85fdb5cfc8-46zq5 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 1060483d97207808731d269d32aa9883; Tue, 23 Jul 2024 15:15:19 +0000 (UTC) In-Reply-To: (Stefan Kangas's message of "Tue, 23 Jul 2024 07:51:29 -0700") X-Mailer: WebService/1.1.22501 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:289174 Archived-At: Stefan Kangas writes: > Po Lu writes: > >> I'm saying that there is nothing to be done. This change is needless, >> and the report should be closed, whatever opinions the security theater >> might hold on the matter. > > I wasn't the one that started a subthread about security. You did. > > The primary consideration here is correctness. Undefined behaviour is > generally undesirable, and is a source of both bugs and security issues > in the wild. This is not "security theater", but a fact. No amount of > handwaving or throwing expletives around will make it go away. Why don't you begin by deleteing the undefined behavior in mark_memory? By definition, after having executed undefined behavior once, all of the future behavior of a C program becomes undefined. For this reason alone, it is meaningless to speak of undefined behavior in Emacs, only whether specific behavior produces _actual_ crashes or corruption. > That said, since you are asking, we are indeed discussing security > sensitive code, that is executed without prompting, for example, when > users receive emails or browse the web. We are also discussing image > processing, an area that is notorious for the bugs and security issues > that tend to lurk in its many complexities. On the CWE-190 page that I > linked, there are several examples of integer overflow in image > processing that has lead to very real exploits. This is not some > academic issue. > > Whether or not anyone has demonstrated that Emacs can be exploited using > this vector frankly misses the point. Let's start with making Emacs > behave correctly and predictably in the face of invalid input. This > really is the bare minimum. Then we can discuss whether or not we have > more work to do, security implications, and all the rest of it. It behaves as correctly and predictably as it should: it does not crash. > XPM being a relatively simple format, I'm sure that this code can be > fully audited. I invite you to do so, and I'm hoping that this will > reveal that your faith in this code is well-founded. Meanwhile, I > reported an unrelated crash in XPM image processing in Bug#72255. > > Since we don't have an alternative patch, I will install the one I > proposed in the next couple of days. Thanks. It is correctly implemented as it stands. You are essentially proposing to have code that has not posed difficulties be needlessly complicated with ugly pedantic error-checking.