From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Patrick Bernaud <patrickb@chez.com>
Newsgroups: gmane.lisp.guile.bugs
Subject: bug#12095: Protecting pointer on bytevector with guardian does not
	protect memory
Date: Mon, 30 Jul 2012 18:01:09 +0200
Message-ID: <20502.44997.295661.951990@vagabond.local>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="KBf2TRqmXu"
Content-Transfer-Encoding: 7bit
X-Trace: dough.gmane.org 1343666474 29992 80.91.229.3 (30 Jul 2012 16:41:14 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Mon, 30 Jul 2012 16:41:14 +0000 (UTC)
To: 12095@debbugs.gnu.org
Original-X-From: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org Mon Jul 30 18:41:08 2012
Return-path: <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>
Envelope-to: guile-bugs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>)
	id 1Svt1j-00006R-2h
	for guile-bugs@m.gmane.org; Mon, 30 Jul 2012 18:41:03 +0200
Original-Received: from localhost ([::1]:53161 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>)
	id 1Svt1i-0002Ys-Ci
	for guile-bugs@m.gmane.org; Mon, 30 Jul 2012 12:41:02 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:42658)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Svt1b-0002Ib-77
	for bug-guile@gnu.org; Mon, 30 Jul 2012 12:40:56 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Svt1V-0006Zb-9f
	for bug-guile@gnu.org; Mon, 30 Jul 2012 12:40:55 -0400
Original-Received: from debbugs.gnu.org ([140.186.70.43]:41675)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Svt1U-0006ZC-FK
	for bug-guile@gnu.org; Mon, 30 Jul 2012 12:40:49 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Svt8T-0005JB-Qd
	for bug-guile@gnu.org; Mon, 30 Jul 2012 12:48:01 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Patrick Bernaud <patrickb@chez.com>
Original-Sender: debbugs-submit-bounces@debbugs.gnu.org
Resent-CC: bug-guile@gnu.org
Resent-Date: Mon, 30 Jul 2012 16:48:01 +0000
Resent-Message-ID: <handler.12095.B.134366682420298@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 12095
X-GNU-PR-Package: guile
X-GNU-PR-Keywords: 
X-Debbugs-Original-To: bug-guile@gnu.org
Original-Received: via spool by submit@debbugs.gnu.org id=B.134366682420298
	(code B ref -1); Mon, 30 Jul 2012 16:48:01 +0000
Original-Received: (at submit) by debbugs.gnu.org; 30 Jul 2012 16:47:04 +0000
Original-Received: from localhost ([127.0.0.1]:51216 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1Svt7W-0005HF-Un
	for submit@debbugs.gnu.org; Mon, 30 Jul 2012 12:47:04 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:34415)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <patrickb@nerim.net>) id 1SvsXK-0004OZ-J8
	for submit@debbugs.gnu.org; Mon, 30 Jul 2012 12:09:39 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <patrickb@nerim.net>) id 1SvsQJ-0008Qf-Md
	for submit@debbugs.gnu.org; Mon, 30 Jul 2012 12:02:24 -0400
Original-Received: from lists.gnu.org ([208.118.235.17]:60589)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <patrickb@nerim.net>) id 1SvsQJ-0008QY-Js
	for submit@debbugs.gnu.org; Mon, 30 Jul 2012 12:02:23 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:32862)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <patrickb@nerim.net>) id 1SvsQD-0001EZ-Ss
	for bug-guile@gnu.org; Mon, 30 Jul 2012 12:02:23 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <patrickb@nerim.net>) id 1SvsQ6-0008KK-0B
	for bug-guile@gnu.org; Mon, 30 Jul 2012 12:02:17 -0400
Original-Received: from smtp-101-monday.noc.nerim.net ([178.132.17.101]:43246
	helo=mallaury.nerim.net) by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <patrickb@nerim.net>) id 1SvsQ5-0008JV-Q9
	for bug-guile@gnu.org; Mon, 30 Jul 2012 12:02:09 -0400
Original-Received: from vagabond.local (chrstn.pck.nerim.net [213.41.144.149])
	by mallaury.nerim.net (Postfix) with ESMTPS id E21AA153417
	for <bug-guile@gnu.org>; Mon, 30 Jul 2012 18:02:01 +0200 (CEST)
Original-Received: from pat by vagabond.local with local (Exim 4.72)
	(envelope-from <patrickb@nerim.net>) id 1SvsP8-0005rp-6m
	for bug-guile@gnu.org; Mon, 30 Jul 2012 18:01:10 +0200
X-Mailer: VM 8.1.0 under 23.2.1 (i486-pc-linux-gnu)
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Mailman-Approved-At: Mon, 30 Jul 2012 12:47:01 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2)
X-Received-From: 140.186.70.43
X-BeenThere: bug-guile@gnu.org
List-Id: "Bug reports for GUILE,
	GNU's Ubiquitous Extension Language" <bug-guile.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guile>,
	<mailto:bug-guile-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guile>
List-Post: <mailto:bug-guile@gnu.org>
List-Help: <mailto:bug-guile-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guile>,
	<mailto:bug-guile-request@gnu.org?subject=subscribe>
Errors-To: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org
Original-Sender: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.lisp.guile.bugs:6466
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.bugs/6466>


--KBf2TRqmXu
Content-Type: text/plain; charset=us-ascii
Content-Description: message body and .signature
Content-Transfer-Encoding: 7bit


The memory from a bytevector of which a pointer is taken (with
'bytevector->pointer') can be overwritten even if that pointer has
been put inside a guardian. 'make-c-struct' from (system foreign) is
using 'bytevector->pointer'.

With the test script attached:

$ guile -v | head -1
guile (GNU Guile) 2.0.6.8-cc26b9-dirty
$ guile --no-auto-compile -s test.scm
#<pointer 0x974648c>
#vu8(1 1 1 1 1 1 1 1 1 1)
#vu8(1 1 1 1 1 1 1 1 1 1)
#vu8(110 103 45 108 101 110 103 116 104 0)  <<<< memory overwrite with "ng-length\0" from module
#<pointer 0x974648c>
$

With auto compilation turned on, it looks like the problem can not be
reproduced.

-- 
Patrick Bernaud


--KBf2TRqmXu
Content-Type: application/octet-stream; name="test.scm"
Content-Disposition: attachment;
	filename="test.scm"
Content-Transfer-Encoding: base64

KHVzZS1tb2R1bGVzIChzeXN0ZW0gZm9yZWlnbikgKHJucnMgYnl0ZXZlY3RvcnMpKQooZGVmaW5l
IG15LWd1YXJkaWFuIChtYWtlLWd1YXJkaWFuKSkKKGRlZmluZSBsZW4gMTApCihkZWZpbmUgeCAo
Ynl0ZXZlY3Rvci0+cG9pbnRlciAobWFrZS1ieXRldmVjdG9yIGxlbiAxKSkpCihkZWZpbmUgYSAo
cG9pbnRlci1hZGRyZXNzIHgpKQooZGlzcGxheSB4KShuZXdsaW5lKQoobXktZ3VhcmRpYW4geCkK
OyhteS1ndWFyZGlhbiAocG9pbnRlci0+Ynl0ZXZlY3RvciB4IGxlbikpCihzZXQhIHggI2YpCih3
cml0ZSAocG9pbnRlci0+Ynl0ZXZlY3RvciAobWFrZS1wb2ludGVyIGEpIGxlbikpKG5ld2xpbmUp
CihnYykKKHdyaXRlIChwb2ludGVyLT5ieXRldmVjdG9yIChtYWtlLXBvaW50ZXIgYSkgbGVuKSko
bmV3bGluZSkKKHVzZS1tb2R1bGVzIChodG1scHJhZykpCih3cml0ZSAocG9pbnRlci0+Ynl0ZXZl
Y3RvciAobWFrZS1wb2ludGVyIGEpIGxlbikpKG5ld2xpbmUpCihkaXNwbGF5IChteS1ndWFyZGlh
bikpKG5ld2xpbmUpCg==
--KBf2TRqmXu--