From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: YAMAMOTO Mitsuharu <mituharu@math.s.chiba-u.ac.jp>
Newsgroups: gmane.emacs.bugs
Subject: bug#20756: 25.0.50;
	struct selection_input_event data might be corrupted by assignments
	as another structure type
Date: Sun, 07 Jun 2015 17:13:31 +0900
Organization: Faculty of Science, Chiba University
Message-ID: <wlwpzggclw.wl%mituharu@math.s.chiba-u.ac.jp>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
X-Trace: ger.gmane.org 1433664865 11151 80.91.229.3 (7 Jun 2015 08:14:25 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sun, 7 Jun 2015 08:14:25 +0000 (UTC)
To: 20756@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Jun 07 10:14:12 2015
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1Z1Vid-00020A-Kx
	for geb-bug-gnu-emacs@m.gmane.org; Sun, 07 Jun 2015 10:14:11 +0200
Original-Received: from localhost ([::1]:53709 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1Z1Vic-00006u-Ib
	for geb-bug-gnu-emacs@m.gmane.org; Sun, 07 Jun 2015 04:14:10 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:45759)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Z1ViY-00006e-Sr
	for bug-gnu-emacs@gnu.org; Sun, 07 Jun 2015 04:14:08 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Z1ViU-0001PM-SC
	for bug-gnu-emacs@gnu.org; Sun, 07 Jun 2015 04:14:06 -0400
Original-Received: from debbugs.gnu.org ([140.186.70.43]:33719)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Z1ViU-0001P6-P6
	for bug-gnu-emacs@gnu.org; Sun, 07 Jun 2015 04:14:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Z1ViU-00015E-DQ
	for bug-gnu-emacs@gnu.org; Sun, 07 Jun 2015 04:14:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: YAMAMOTO Mitsuharu <mituharu@math.s.chiba-u.ac.jp>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sun, 07 Jun 2015 08:14:01 +0000
Resent-Message-ID: <handler.20756.B.14336648324140@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 20756
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
X-Debbugs-Original-To: bug-gnu-emacs@gnu.org
Original-Received: via spool by submit@debbugs.gnu.org id=B.14336648324140
	(code B ref -1); Sun, 07 Jun 2015 08:14:01 +0000
Original-Received: (at submit) by debbugs.gnu.org; 7 Jun 2015 08:13:52 +0000
Original-Received: from localhost ([127.0.0.1]:43694 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1Z1ViJ-00014h-DA
	for submit@debbugs.gnu.org; Sun, 07 Jun 2015 04:13:51 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:60421)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <mituharu@math.s.chiba-u.ac.jp>) id 1Z1ViF-00014P-Vc
	for submit@debbugs.gnu.org; Sun, 07 Jun 2015 04:13:49 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mituharu@math.s.chiba-u.ac.jp>) id 1Z1Vi9-0001Dv-F6
	for submit@debbugs.gnu.org; Sun, 07 Jun 2015 04:13:42 -0400
Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:40103)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mituharu@math.s.chiba-u.ac.jp>) id 1Z1Vi9-0001Dn-Bm
	for submit@debbugs.gnu.org; Sun, 07 Jun 2015 04:13:41 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:45695)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mituharu@math.s.chiba-u.ac.jp>) id 1Z1Vi7-00005W-VZ
	for bug-gnu-emacs@gnu.org; Sun, 07 Jun 2015 04:13:41 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mituharu@math.s.chiba-u.ac.jp>) id 1Z1Vi4-0001Bi-Op
	for bug-gnu-emacs@gnu.org; Sun, 07 Jun 2015 04:13:39 -0400
Original-Received: from mathmail.math.s.chiba-u.ac.jp ([133.82.132.2]:52431)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mituharu@math.s.chiba-u.ac.jp>) id 1Z1Vi4-00019k-8f
	for bug-gnu-emacs@gnu.org; Sun, 07 Jun 2015 04:13:36 -0400
Original-Received: from fermat1.math.s.chiba-u.ac.jp (fermat [192.168.32.10])
	by mathmail.math.s.chiba-u.ac.jp (Postfix) with ESMTP id 6BA39C0566
	for <bug-gnu-emacs@gnu.org>; Sun,  7 Jun 2015 17:13:31 +0900 (JST)
User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8
	(=?UTF-8?Q?Shij=C5=8D?=) APEL/10.6 Emacs/22.3 (sparc-sun-solaris2.8)
	MULE/5.0 (SAKAKI)
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
	(bad octet value).
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:103686
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/103686>

On X11, each element of `kbd_buffer' is implicitly used as a union of
two structure types: `struct input_event' (in termhooks.h) for general
use and `struct selection_input_event' (in xterm.h) for selection
events.  These types have different layouts, especially with respect
to paddings.  But elements of `kbd_buffer' are copied via assignments
for one structure type, `struct input_event', in several places in
keyboard.c.  For example,

  3685	/* Put an input event back in the head of the event queue.  */
  3686	
  3687	void
  3688	kbd_buffer_unget_event (register struct input_event *event)
  3689	{
  3690	  if (kbd_fetch_ptr == kbd_buffer)
  3691	    kbd_fetch_ptr = kbd_buffer + KBD_BUFFER_SIZE;
  3692	
  3693	  /* Don't let the very last slot in the buffer become full,  */
  3694	  if (kbd_fetch_ptr - 1 != kbd_store_ptr)
  3695	    {
  3696	      --kbd_fetch_ptr;
  3697	      *kbd_fetch_ptr = *event;
  3698	    }
  3699	}

This is problematic because structure copy via assignments may not
preserve the contents of the paddings in general, and they might
contain sensitive information for the other structure, `struct
selection_input_event'.

Actually, I can reproduce the crash with `C-w' on a 64-bit executable
compiled with the following version of llvm-gcc for OS X 10.7:

  i686-apple-darwin11-llvm-gcc-4.2 (GCC) 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.11.00)

The disassembly output below shows that 4 bytes from 12-byte offset
are not copied.  These correspond to a part of `dpyinfo' member in
`struct selection_input_event', and it gets corrupted.

_kbd_buffer_unget_event:
00000000000001d0	pushq	%rbp
00000000000001d1	movq	%rsp, %rbp
00000000000001d4	leaq	(%rip), %rax
00000000000001db	movq	(%rip), %rcx
00000000000001e2	cmpq	%rax, %rcx
00000000000001e5	jne	0x1f5
00000000000001e7	leaq	229376(%rip), %rcx
00000000000001ee	movq	%rcx, (%rip)
00000000000001f5	leaq	-56(%rcx), %rax
00000000000001f9	cmpq	(%rip), %rax
0000000000000200	je	0x242
0000000000000202	movq	%rax, (%rip)
0000000000000209	movl	(%rdi), %eax
000000000000020b	movl	%eax, -56(%rcx)
000000000000020e	movl	4(%rdi), %eax
0000000000000211	movl	%eax, -52(%rcx)
0000000000000214	movl	8(%rdi), %eax
0000000000000217	movl	%eax, -48(%rcx)
000000000000021a	movq	16(%rdi), %rax
000000000000021e	movq	%rax, -40(%rcx)
0000000000000222	movq	24(%rdi), %rax
0000000000000226	movq	%rax, -32(%rcx)
000000000000022a	movq	32(%rdi), %rax
000000000000022e	movq	%rax, -24(%rcx)
0000000000000232	movq	40(%rdi), %rax
0000000000000236	movq	%rax, -16(%rcx)
000000000000023a	movq	48(%rdi), %rax
000000000000023e	movq	%rax, -8(%rcx)
0000000000000242	popq	%rbp
0000000000000243	ret
0000000000000244	nopw	(%rax,%rax)
000000000000024a	nopw	(%rax,%rax)

				     YAMAMOTO Mitsuharu
				mituharu@math.s.chiba-u.ac.jp

In GNU Emacs 25.0.50.1 (x86_64-apple-darwin11.4.2, GTK+ Version 3.16.3)
 of 2015-06-07 on yamamoto-no-MacBook-Air.local
Windowing system distributor `The X.Org Foundation', version 11.0.11006000
Configured using:
 `configure LDFLAGS=-L/opt/local/lib CPPFLAGS=-I/opt/local/include'