From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Wilfred Hughes Newsgroups: gmane.emacs.devel Subject: Avoiding arbitrary code execution with macroexpansion Date: Wed, 15 Aug 2018 22:52:04 +0100 Message-ID: NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Trace: blaine.gmane.org 1534369834 24497 195.159.176.226 (15 Aug 2018 21:50:34 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Wed, 15 Aug 2018 21:50:34 +0000 (UTC) To: emacs-devel Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Aug 15 23:50:30 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fq3gS-0006D6-A5 for ged-emacs-devel@m.gmane.org; Wed, 15 Aug 2018 23:50:28 +0200 Original-Received: from localhost ([::1]:52430 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fq3iY-0008OR-Uy for ged-emacs-devel@m.gmane.org; Wed, 15 Aug 2018 17:52:38 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:59258) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fq3iS-0008Ns-BH for emacs-devel@gnu.org; Wed, 15 Aug 2018 17:52:33 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fq3iP-000078-6O for emacs-devel@gnu.org; Wed, 15 Aug 2018 17:52:32 -0400 Original-Received: from mail-qt0-x22d.google.com ([2607:f8b0:400d:c0d::22d]:42878) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fq3iN-00006d-EY for emacs-devel@gnu.org; Wed, 15 Aug 2018 17:52:28 -0400 Original-Received: by mail-qt0-x22d.google.com with SMTP id z8-v6so2955290qto.9 for ; Wed, 15 Aug 2018 14:52:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wilfred-me-uk.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=N9K9jjIKsGVjWicPWY8uMP0b2LmIQvfyKFD0jG34DEY=; b=EiIRMjTWngcyZvaiZ2lfhhGJEcrOCs2/hPB1+yZeXOQDMRSGACPjVA2vKAKKYN1/v4 bFWe74R8xIyF+WbVnfK79335DxRuLZxKCCQG7xJjmydEIhdz1oxArbQmSadGtxOcvKOe xI2O6kvixTsNxSJSZLlc4hdEYOA+a5GpR8iMZI41F2v1fYsmFZbMZods+yJbGY+psWPW Y8Z6sJCt1No5MovdU6/stqIwBUq0R1TWGCFmonFQR02oqlnm271dazCE7N+3hFJa6yTs j7TomLlCvIGkhzXDdq9Q8sYmJqjuT7pm6hUjrmiKfettcxf3VPr3qwsXzrWv0/PxkOqk kuog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=N9K9jjIKsGVjWicPWY8uMP0b2LmIQvfyKFD0jG34DEY=; b=hnbtHV7B+rThO8RcUPRqWDOJgr5G7iZXFSYV7oPK1yISbMOD3aXRWKizbET1dV30SK FttTAPXrbH4vugf8Tv0i5fNMGLbWWgh1gkCMS7s53BEC2UBANAgjj8El3maWoaZz6BgY uY/9bUTXPLuxMt63zX/2mJR/TRIi8Et6L9+MJVPudCACU0vFCkfN++vjkb7gAnolfc1y cI2GJcK8/2RLyPeX/fjqhaKEt+WjzWaTMtt1YVE4QUdqcOI+Wezeg2IppbTpDghj1wcC A1YnGqqaIJlZdAQO70nKe2SgItF9lV21Cmg5LHMdmuOon127pjYVG7IdQnwMgHAQ+ooV oM7w== X-Gm-Message-State: AOUpUlF2Pr9eSxqQ/ezPTbAoi6JnF4qWyuaPAY+tnacMOmTUjLjeq4QY tP/GTbFnEtIB3NyfUY2cL8AyY6cgw/+M07YMaa/4vQ6SDow= X-Google-Smtp-Source: AA+uWPyb8dYXp9enmfJozwD1LnUaKXTfhWxGFMCSowKDb9mdGo0kZTdfONvwaGVe1Cq/PYzqfyHmFHLI9lgeuEMQMSI= X-Received: by 2002:aed:3c55:: with SMTP id u21-v6mr27334318qte.198.1534369945392; Wed, 15 Aug 2018 14:52:25 -0700 (PDT) Original-Received: by 2002:aed:3981:0:0:0:0:0 with HTTP; Wed, 15 Aug 2018 14:52:04 -0700 (PDT) X-Originating-IP: [92.233.94.77] X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:400d:c0d::22d X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:228573 Archived-At: Hi emacs-devel Today I realised that macroexpand-all isn't safe to call on arbitrary elisp: (macroexpand-all '(eval-when-compile (debug))) Using a macro that calls eval, such as eval-when-compile, eval-and-compile, c-lang-defconst-eval-immediately (undoubtedly others too), means anything can happen at macroexpansion time. Unfortunately, some emacs packages assume this is a safe thing to do. I used to think so, because macroexpand-all only executes macros that are loaded (and therefore trusted) in the current Emacs instance. Macros that eval code break this. Even elisp-mode.el assumes this: (let ((fooo (eval-when-compile (progn (debug))))) foo ;; <- put point here and M-x completion-at-point ) This means that I can get arbitrary code execution by you opening and calling code completion a maliciously crafted elisp file! Is this a security bug in Emacs? In any case, is there a safe way to do macroexpansion? The best I can think of is this: (let ((macro-whitelist '(when pcase)) all-macros safe-env) (mapatoms (lambda (sym) (when (macrop sym) (push sym all-macros)))) (mapc (lambda (sym) (unless (memq sym macro-whitelist) (push (cons sym (symbol-function 'ignore)) safe-env))) all-macros) (macroexpand-all arbitrary-form-here safe-env)) Thanks Wilfred