From: Wilfred Hughes <me@wilfred.me.uk>
To: emacs-devel <emacs-devel@gnu.org>
Subject: Avoiding arbitrary code execution with macroexpansion
Date: Wed, 15 Aug 2018 22:52:04 +0100 [thread overview]
Message-ID: <CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg@mail.gmail.com> (raw)
Hi emacs-devel
Today I realised that macroexpand-all isn't safe to call on arbitrary elisp:
(macroexpand-all '(eval-when-compile (debug)))
Using a macro that calls eval, such as eval-when-compile,
eval-and-compile, c-lang-defconst-eval-immediately (undoubtedly others
too), means anything can happen at macroexpansion time.
Unfortunately, some emacs packages assume this is a safe thing to do.
I used to think so, because macroexpand-all only executes macros that
are loaded (and therefore trusted) in the current Emacs instance.
Macros that eval code break this.
Even elisp-mode.el assumes this:
(let ((fooo (eval-when-compile (progn (debug)))))
foo ;; <- put point here and M-x completion-at-point
)
This means that I can get arbitrary code execution by you opening and
calling code completion a maliciously crafted elisp file!
Is this a security bug in Emacs?
In any case, is there a safe way to do macroexpansion? The best I can
think of is this:
(let ((macro-whitelist '(when pcase))
all-macros
safe-env)
(mapatoms
(lambda (sym)
(when (macrop sym)
(push sym all-macros))))
(mapc
(lambda (sym)
(unless (memq sym macro-whitelist)
(push (cons sym (symbol-function 'ignore))
safe-env)))
all-macros)
(macroexpand-all
arbitrary-form-here
safe-env))
Thanks
Wilfred
next reply other threads:[~2018-08-15 21:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-15 21:52 Wilfred Hughes [this message]
2018-08-16 20:52 ` Avoiding arbitrary code execution with macroexpansion Paul Eggert
2018-08-20 3:04 ` Richard Stallman
2018-08-22 0:15 ` Wilfred Hughes
2018-08-22 23:57 ` Richard Stallman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg@mail.gmail.com' \
--to=me@wilfred.me.uk \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.