bug#63063: CVE-2021-36699 report - Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors

all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: Po Lu via "Bug reports for GNU Emacs, the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
To: Eli Zaretskii <eliz@gnu.org>
Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
Subject: bug#63063: CVE-2021-36699 report
Date: Tue, 25 Apr 2023 18:55:40 +0800	[thread overview]
Message-ID: <87mt2wcjtf.fsf@yahoo.com> (raw)
In-Reply-To: <83a5ywwcow.fsf@gnu.org> (Eli Zaretskii's message of "Tue, 25 Apr 2023 12:09:19 +0300")

Eli Zaretskii <eliz@gnu.org> writes:

> Thanks, but that seems to be unrelated to the code to which the OP
> pointed.  Are you sure it's the same problem?

Yes: the debugger output isn't very clear because
`dump_make_lv_from_reloc' has been inlined.  Look at the program counter
in the ASAN report.

> Also, writing outside of the process's address space will indeed cause
> protection fault and SIGSEGV, not a buffer-overflow type of problem
> that can be exploited for executing some arbitrary code.  So I'm not
> sure I see why is this a security issue?

The invalid relocation could also point to an address that Emacs has
mapped, but outside any object, in which case AddressSanitizer will
report a buffer overflow.

In either case, this is not a security vulnerability: if you can make
the user load malformed dump files, you can make him load nefarious
executables as well.  It doesn't even qualify as a bug, since malformed
dump files can cause Emacs to crash in a myriad of other ways.

> emacs_ptr_at has this comment:
>
>   /* TODO: assert somehow that the result is actually in the Emacs
>      image.  */
>
> Can we assure that in some reasonable way?  We have valid_pointer_p,
> but that's too expensive, I think.

It's quite expensive.  Any such check should only be turned on
--with-checking.

next prev parent reply	other threads:[~2023-04-25 10:55 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <40-63e3c600-3-2d802d00@111202636>
     [not found] ` <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
     [not found]   ` <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
2023-04-24 21:27     ` CVE-2021-36699 report fuomag9
2023-04-25  5:51       ` Po Lu
2023-04-25  7:13         ` Nicolas Martyanoff
2023-04-25  7:21           ` Po Lu
2023-04-25  7:53             ` bug#63063: " Eli Zaretskii
2023-04-25  7:53           ` Eli Zaretskii
2023-04-25  6:37       ` tomas
2023-04-25  7:11         ` Eli Zaretskii
2023-04-25  7:14       ` bug#63063: " Eli Zaretskii
2023-04-25  7:24         ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-04-25  7:55           ` Eli Zaretskii
2023-04-25  8:38             ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-04-25  9:09               ` Eli Zaretskii
2023-04-25 10:55                 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors [this message]
2023-04-25 11:51                   ` Eli Zaretskii
2023-04-25 12:26                     ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-04-25 12:47                       ` Eli Zaretskii
2023-04-25 12:59                         ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-04-25 13:06                           ` Eli Zaretskii
2023-04-25 13:18                             ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-04-25 15:54                               ` lux
2023-04-25 16:01                                 ` Eli Zaretskii
2023-04-25 16:17                                   ` Robert Pluim
2023-04-25 16:37                                     ` lux
2023-04-26  1:28                     ` Richard Stallman
2023-04-25  8:45         ` fuomag9 via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-04-25  7:40       ` Yuri Khan
2023-04-25  7:57         ` bug#63063: " Eli Zaretskii

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87mt2wcjtf.fsf@yahoo.com \
    --to=bug-gnu-emacs@gnu.org \
    --cc=63063@debbugs.gnu.org \
    --cc=eliz@gnu.org \
    --cc=fuo@fuo.fi \
    --cc=luangruo@yahoo.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.