GNU bug report logs -
#11442
dbus uses Emacs integer as pointer, possible core dump
Previous Next
Reported by: Paul Eggert <eggert <at> cs.ucla.edu>
Date: Wed, 9 May 2012 15:24:01 UTC
Severity: normal
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 11442 in the body.
You can then email your comments to 11442 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#11442; Package
emacs.
(Wed, 09 May 2012 15:24:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Paul Eggert <eggert <at> cs.ucla.edu>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Wed, 09 May 2012 15:24:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
The trunk version of Emacs src/dbusbind.c contains a function
xd_get_connection_address that does this:
connection = (DBusConnection *) (intptr_t) XFASTINT (val);
This converts an Emacs integer to a pointer without checking
that it is actually of the proper C type. It is possible
for Lisp code to mistakenly put an integer there that will
cause Emacs to dump core. Shouldn't this be made safe, so
that Lisp code can't do that? For example, a DbusConnection *
could be made a proper Lisp pseudovector or misc type or
something like that. The idea is to avoid a bad pointer
leaking into the C code.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#11442; Package
emacs.
(Wed, 09 May 2012 15:39:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 11442 <at> debbugs.gnu.org (full text, mbox):
Paul Eggert <eggert <at> cs.ucla.edu> writes:
Hi Paul,
> The trunk version of Emacs src/dbusbind.c contains a function
> xd_get_connection_address that does this:
>
> connection = (DBusConnection *) (intptr_t) XFASTINT (val);
>
> This converts an Emacs integer to a pointer without checking
> that it is actually of the proper C type. It is possible
> for Lisp code to mistakenly put an integer there that will
> cause Emacs to dump core.
In general, I agree with you. In the given case, it is just a pointer
address which has been written in Fdbus_init_bus. No other place is
expected to write such an address, but since it is a Lisp object,
somebody could do by mistake.
> Shouldn't this be made safe, so that Lisp code can't do that? For
> example, a DbusConnection * could be made a proper Lisp pseudovector
> or misc type or something like that. The idea is to avoid a bad
> pointer leaking into the C code.
DbusConnection * is included by <dbus/dbus.h>; we cannot make it a
private type. But if there is something we could add as "glue type",
please do. I'm not so familar with Emacs' internal type armors.
Best regards, Michael.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#11442; Package
emacs.
(Wed, 09 May 2012 15:48:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 11442 <at> debbugs.gnu.org (full text, mbox):
Michael Albinus <michael.albinus <at> gmx.de> writes:
> Paul Eggert <eggert <at> cs.ucla.edu> writes:
>
> Hi Paul,
>
>> The trunk version of Emacs src/dbusbind.c contains a function
>> xd_get_connection_address that does this:
>>
>> connection = (DBusConnection *) (intptr_t) XFASTINT (val);
>>
>> This converts an Emacs integer to a pointer without checking
>> that it is actually of the proper C type. It is possible
>> for Lisp code to mistakenly put an integer there that will
>> cause Emacs to dump core.
>
> In general, I agree with you. In the given case, it is just a pointer
> address which has been written in Fdbus_init_bus. No other place is
> expected to write such an address, but since it is a Lisp object,
> somebody could do by mistake.
Why is Vdbus_registered_buses exported to lisp?
Andreas.
--
Andreas Schwab, schwab <at> linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#11442; Package
emacs.
(Wed, 09 May 2012 21:22:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 11442 <at> debbugs.gnu.org (full text, mbox):
Andreas Schwab <schwab <at> linux-m68k.org> writes:
>> In general, I agree with you. In the given case, it is just a pointer
>> address which has been written in Fdbus_init_bus. No other place is
>> expected to write such an address, but since it is a Lisp object,
>> somebody could do by mistake.
>
> Why is Vdbus_registered_buses exported to lisp?
Indeed, that's the question.
When I wrote the new code for private buses, it was needed in dbus.el
(don't remember the reason). In the final code I've committed,
dbus-registered-buses isn't needed anymore on Lisp level.
I've converted it to be an internal Lisp object. Paul, is this
sufficient from your pov, or do we need more checks?
> Andreas.
Best regards, Michael.
Reply sent
to
Paul Eggert <eggert <at> cs.ucla.edu>:
You have taken responsibility.
(Wed, 09 May 2012 21:39:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Paul Eggert <eggert <at> cs.ucla.edu>:
bug acknowledged by developer.
(Wed, 09 May 2012 21:39:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 11442-done <at> debbugs.gnu.org (full text, mbox):
On 05/09/2012 02:19 PM, Michael Albinus wrote:
> I've converted it to be an internal Lisp object.
Thanks; that looks good. Closing the bug.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 07 Jun 2012 11:24:02 GMT)
Full text and
rfc822 format available.
This bug report was last modified 13 years and 73 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.