From: Kalle Olavi Niemitalo <kon@iki.fi>
To: 23482@debbugs.gnu.org
Subject: bug#23482: 24.4; stack buffer overflow in x-send-client-message
Date: Sun, 08 May 2016 15:27:34 +0300 [thread overview]
Message-ID: <87r3dcenux.fsf@Niukka.kon.iki.fi> (raw)
Start emacs -Q in X, copy the following form to the *scratch*
buffer, and press C-j to evaluate it. The process then crashes
and glibc reports "stack smashing detected".
(x-send-client-message nil nil nil "foo" 32 (make-list 100 0))
Although the docstring of x-send-client-message claims that
excessive values are ignored, they are actually copied to the
event.xclient.data buffer. This bug was caused in February 2004
when Fx_send_client_event was moved from xfns.c to xselect.c
and the x_fill_property_data function was added.
This does not seem a security vulnerability though, because Emacs
fully trusts Emacs Lisp code, and if some Emacs Lisp code sends
client messages based on untrusted data, then that's already a
bug of its own.
In my fork, I fixed this by adding a nelements_max parameter to
x_fill_property_data.
In GNU Emacs 24.4.1 (x86_64-pc-linux-gnu, GTK+ Version 3.14.5)
of 2015-03-07 on trouble, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.11604000
System Description: Debian GNU/Linux 8.4 (jessie)
Configured using:
`configure --build x86_64-linux-gnu --prefix=/usr
--sharedstatedir=/var/lib --libexecdir=/usr/lib
--localstatedir=/var/lib --infodir=/usr/share/info
--mandir=/usr/share/man --with-pop=yes
--enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.4/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.4/site-lisp:/usr/share/emacs/site-lisp
--build x86_64-linux-gnu --prefix=/usr --sharedstatedir=/var/lib
--libexecdir=/usr/lib --localstatedir=/var/lib
--infodir=/usr/share/info --mandir=/usr/share/man --with-pop=yes
--enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.4/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.4/site-lisp:/usr/share/emacs/site-lisp
--with-x=yes --with-x-toolkit=gtk3 --with-toolkit-scroll-bars
'CFLAGS=-g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wall' CPPFLAGS=-D_FORTIFY_SOURCE=2
LDFLAGS=-Wl,-z,relro'
Important settings:
value of $LANG: fi_FI.utf8
locale-coding-system: utf-8-unix
Major mode: Lisp Interaction
Minor modes in effect:
tooltip-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
tool-bar-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
line-number-mode: t
transient-mark-mode: t
Recent input:
M-x r e p o r t SPC e m a c s SPC b u g <return>
Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.
Load-path shadows:
None found.
Features:
(shadow sort gnus-util mail-extr emacsbug message format-spec rfc822 mml
easymenu mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231
mailabbrev gmm-utils mailheader sendmail rfc2047 rfc2045 ietf-drums
mm-util help-fns mail-prsvr mail-utils time-date tooltip electric
uniquify ediff-hook vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar
dnd fontset image regexp-opt fringe tabulated-list newcomment lisp-mode
prog-mode register page menu-bar rfn-eshadow timer select scroll-bar
mouse jit-lock font-lock syntax facemenu font-core frame cham georgian
utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean
japanese hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev
minibuffer nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote make-network-process
dbusbind gfilenotify dynamic-setting system-font-setting
font-render-setting move-toolbar gtk x-toolkit x multi-tty emacs)
Memory information:
((conses 16 71460 7916)
(symbols 48 17673 0)
(miscs 40 38 113)
(strings 32 9157 4731)
(string-bytes 1 250735)
(vectors 16 8949)
(vector-slots 8 385259 16186)
(floats 8 63 68)
(intervals 56 255 50)
(buffers 960 11)
(heap 1024 40257 948))
next reply other threads:[~2016-05-08 12:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-08 12:27 Kalle Olavi Niemitalo [this message]
2016-05-10 5:43 ` bug#23482: [PATCH 22.1] Fix buffer overflow in x-send-client-message (Bug#23482) Kalle Olavi Niemitalo
2020-08-11 15:34 ` Lars Ingebrigtsen
2020-08-18 7:13 ` Kalle Olavi Niemitalo
2020-08-18 15:01 ` Lars Ingebrigtsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r3dcenux.fsf@Niukka.kon.iki.fi \
--to=kon@iki.fi \
--cc=23482@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.