From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Wilfred Hughes <me@wilfred.me.uk>
Newsgroups: gmane.emacs.devel
Subject: Avoiding arbitrary code execution with macroexpansion
Date: Wed, 15 Aug 2018 22:52:04 +0100
Message-ID: <CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg@mail.gmail.com>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: blaine.gmane.org 1534369834 24497 195.159.176.226 (15 Aug 2018 21:50:34 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Wed, 15 Aug 2018 21:50:34 +0000 (UTC)
To: emacs-devel <emacs-devel@gnu.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Aug 15 23:50:30 2018
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fq3gS-0006D6-A5
	for ged-emacs-devel@m.gmane.org; Wed, 15 Aug 2018 23:50:28 +0200
Original-Received: from localhost ([::1]:52430 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fq3iY-0008OR-Uy
	for ged-emacs-devel@m.gmane.org; Wed, 15 Aug 2018 17:52:38 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:59258)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <me@wilfred.me.uk>) id 1fq3iS-0008Ns-BH
	for emacs-devel@gnu.org; Wed, 15 Aug 2018 17:52:33 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <me@wilfred.me.uk>) id 1fq3iP-000078-6O
	for emacs-devel@gnu.org; Wed, 15 Aug 2018 17:52:32 -0400
Original-Received: from mail-qt0-x22d.google.com ([2607:f8b0:400d:c0d::22d]:42878)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <me@wilfred.me.uk>) id 1fq3iN-00006d-EY
	for emacs-devel@gnu.org; Wed, 15 Aug 2018 17:52:28 -0400
Original-Received: by mail-qt0-x22d.google.com with SMTP id z8-v6so2955290qto.9
	for <emacs-devel@gnu.org>; Wed, 15 Aug 2018 14:52:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=wilfred-me-uk.20150623.gappssmtp.com; s=20150623;
	h=mime-version:from:date:message-id:subject:to;
	bh=N9K9jjIKsGVjWicPWY8uMP0b2LmIQvfyKFD0jG34DEY=;
	b=EiIRMjTWngcyZvaiZ2lfhhGJEcrOCs2/hPB1+yZeXOQDMRSGACPjVA2vKAKKYN1/v4
	bFWe74R8xIyF+WbVnfK79335DxRuLZxKCCQG7xJjmydEIhdz1oxArbQmSadGtxOcvKOe
	xI2O6kvixTsNxSJSZLlc4hdEYOA+a5GpR8iMZI41F2v1fYsmFZbMZods+yJbGY+psWPW
	Y8Z6sJCt1No5MovdU6/stqIwBUq0R1TWGCFmonFQR02oqlnm271dazCE7N+3hFJa6yTs
	j7TomLlCvIGkhzXDdq9Q8sYmJqjuT7pm6hUjrmiKfettcxf3VPr3qwsXzrWv0/PxkOqk
	kuog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
	bh=N9K9jjIKsGVjWicPWY8uMP0b2LmIQvfyKFD0jG34DEY=;
	b=hnbtHV7B+rThO8RcUPRqWDOJgr5G7iZXFSYV7oPK1yISbMOD3aXRWKizbET1dV30SK
	FttTAPXrbH4vugf8Tv0i5fNMGLbWWgh1gkCMS7s53BEC2UBANAgjj8El3maWoaZz6BgY
	uY/9bUTXPLuxMt63zX/2mJR/TRIi8Et6L9+MJVPudCACU0vFCkfN++vjkb7gAnolfc1y
	cI2GJcK8/2RLyPeX/fjqhaKEt+WjzWaTMtt1YVE4QUdqcOI+Wezeg2IppbTpDghj1wcC
	A1YnGqqaIJlZdAQO70nKe2SgItF9lV21Cmg5LHMdmuOon127pjYVG7IdQnwMgHAQ+ooV
	oM7w==
X-Gm-Message-State: AOUpUlF2Pr9eSxqQ/ezPTbAoi6JnF4qWyuaPAY+tnacMOmTUjLjeq4QY
	tP/GTbFnEtIB3NyfUY2cL8AyY6cgw/+M07YMaa/4vQ6SDow=
X-Google-Smtp-Source: AA+uWPyb8dYXp9enmfJozwD1LnUaKXTfhWxGFMCSowKDb9mdGo0kZTdfONvwaGVe1Cq/PYzqfyHmFHLI9lgeuEMQMSI=
X-Received: by 2002:aed:3c55:: with SMTP id
	u21-v6mr27334318qte.198.1534369945392; 
	Wed, 15 Aug 2018 14:52:25 -0700 (PDT)
Original-Received: by 2002:aed:3981:0:0:0:0:0 with HTTP; Wed, 15 Aug 2018 14:52:04
	-0700 (PDT)
X-Originating-IP: [92.233.94.77]
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2607:f8b0:400d:c0d::22d
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:228573
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/228573>

Hi emacs-devel

Today I realised that macroexpand-all isn't safe to call on arbitrary elisp:

(macroexpand-all '(eval-when-compile (debug)))

Using a macro that calls eval, such as eval-when-compile,
eval-and-compile, c-lang-defconst-eval-immediately (undoubtedly others
too), means anything can happen at macroexpansion time.

Unfortunately, some emacs packages assume this is a safe thing to do.
I used to think so, because macroexpand-all only executes macros that
are loaded (and therefore trusted) in the current Emacs instance.
Macros that eval code break this.

Even elisp-mode.el assumes this:

(let ((fooo (eval-when-compile (progn (debug)))))
  foo ;; <- put point here and M-x completion-at-point
  )

This means that I can get arbitrary code execution by you opening and
calling code completion a maliciously crafted elisp file!

Is this a security bug in Emacs?

In any case, is there a safe way to do macroexpansion? The best I can
think of is this:

(let ((macro-whitelist '(when pcase))
      all-macros
      safe-env)
  (mapatoms
   (lambda (sym)
     (when (macrop sym)
       (push sym all-macros))))
  (mapc
   (lambda (sym)
     (unless (memq sym macro-whitelist)
       (push (cons sym (symbol-function 'ignore))
             safe-env)))
   all-macros)

  (macroexpand-all
   arbitrary-form-here
   safe-env))

Thanks
Wilfred