From unknown Mon Aug 18 11:09:39 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#11442 <11442@debbugs.gnu.org> To: bug#11442 <11442@debbugs.gnu.org> Subject: Status: dbus uses Emacs integer as pointer, possible core dump Reply-To: bug#11442 <11442@debbugs.gnu.org> Date: Mon, 18 Aug 2025 18:09:39 +0000 retitle 11442 dbus uses Emacs integer as pointer, possible core dump reassign 11442 emacs submitter 11442 Paul Eggert severity 11442 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Wed May 09 11:23:49 2012 Received: (at submit) by debbugs.gnu.org; 9 May 2012 15:23:49 +0000 Received: from localhost ([127.0.0.1]:43382 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SS8k1-0008N0-70 for submit@debbugs.gnu.org; Wed, 09 May 2012 11:23:49 -0400 Received: from eggs.gnu.org ([208.118.235.92]:48362) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SS8jy-0008Ml-Na for submit@debbugs.gnu.org; Wed, 09 May 2012 11:23:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SS8hg-0000YI-Jn for submit@debbugs.gnu.org; Wed, 09 May 2012 11:21:28 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.2 Received: from lists.gnu.org ([208.118.235.17]:52417) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SS8hg-0000YE-H6 for submit@debbugs.gnu.org; Wed, 09 May 2012 11:21:24 -0400 Received: from eggs.gnu.org ([208.118.235.92]:34502) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SS8ha-0001ls-FO for bug-gnu-emacs@gnu.org; Wed, 09 May 2012 11:21:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SS8hP-0000Vj-1f for bug-gnu-emacs@gnu.org; Wed, 09 May 2012 11:21:17 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:33631) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SS8hO-0000U2-Sl for bug-gnu-emacs@gnu.org; Wed, 09 May 2012 11:21:06 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id C4CE7A60003; Wed, 9 May 2012 08:20:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d+Wqy5iWr4Vh; Wed, 9 May 2012 08:20:56 -0700 (PDT) Received: from [192.168.1.10] (pool-71-189-109-235.lsanca.fios.verizon.net [71.189.109.235]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 6B2A739E8007; Wed, 9 May 2012 08:20:56 -0700 (PDT) Message-ID: <4FAA8B59.8050207@cs.ucla.edu> Date: Wed, 09 May 2012 08:20:57 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120430 Thunderbird/12.0.1 MIME-Version: 1.0 To: bug-gnu-emacs@gnu.org Subject: dbus uses Emacs integer as pointer, possible core dump Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 208.118.235.17 X-Spam-Score: -6.2 (------) X-Debbugs-Envelope-To: submit Cc: Michael Albinus X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.2 (------) The trunk version of Emacs src/dbusbind.c contains a function xd_get_connection_address that does this: connection = (DBusConnection *) (intptr_t) XFASTINT (val); This converts an Emacs integer to a pointer without checking that it is actually of the proper C type. It is possible for Lisp code to mistakenly put an integer there that will cause Emacs to dump core. Shouldn't this be made safe, so that Lisp code can't do that? For example, a DbusConnection * could be made a proper Lisp pseudovector or misc type or something like that. The idea is to avoid a bad pointer leaking into the C code. From debbugs-submit-bounces@debbugs.gnu.org Wed May 09 11:38:14 2012 Received: (at 11442) by debbugs.gnu.org; 9 May 2012 15:38:14 +0000 Received: from localhost ([127.0.0.1]:43392 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SS8xx-0000Jt-U8 for submit@debbugs.gnu.org; Wed, 09 May 2012 11:38:14 -0400 Received: from mailout-de.gmx.net ([213.165.64.22]:54678) by debbugs.gnu.org with smtp (Exim 4.72) (envelope-from ) id 1SS8xw-0000Jf-FK for 11442@debbugs.gnu.org; Wed, 09 May 2012 11:38:13 -0400 Received: (qmail invoked by alias); 09 May 2012 15:35:52 -0000 Received: from p57BB9429.dip0.t-ipconnect.de (EHLO detlef.gmx.de) [87.187.148.41] by mail.gmx.net (mp004) with SMTP; 09 May 2012 17:35:52 +0200 X-Authenticated: #3708877 X-Provags-ID: V01U2FsdGVkX1/5uk1jl8b5+vEppD1AyIXJn36pEP5jxHn8Sl36w0 my74aHrtSO3ZIk From: Michael Albinus To: Paul Eggert Subject: Re: bug#11442: dbus uses Emacs integer as pointer, possible core dump References: <4FAA8B59.8050207@cs.ucla.edu> Date: Wed, 09 May 2012 17:35:49 +0200 In-Reply-To: <4FAA8B59.8050207@cs.ucla.edu> (Paul Eggert's message of "Wed, 09 May 2012 08:20:57 -0700") Message-ID: <87y5p1l63u.fsf@gmx.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Y-GMX-Trusted: 0 X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11442 Cc: 11442@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) Paul Eggert writes: Hi Paul, > The trunk version of Emacs src/dbusbind.c contains a function > xd_get_connection_address that does this: > > connection = (DBusConnection *) (intptr_t) XFASTINT (val); > > This converts an Emacs integer to a pointer without checking > that it is actually of the proper C type. It is possible > for Lisp code to mistakenly put an integer there that will > cause Emacs to dump core. In general, I agree with you. In the given case, it is just a pointer address which has been written in Fdbus_init_bus. No other place is expected to write such an address, but since it is a Lisp object, somebody could do by mistake. > Shouldn't this be made safe, so that Lisp code can't do that? For > example, a DbusConnection * could be made a proper Lisp pseudovector > or misc type or something like that. The idea is to avoid a bad > pointer leaking into the C code. DbusConnection * is included by ; we cannot make it a private type. But if there is something we could add as "glue type", please do. I'm not so familar with Emacs' internal type armors. Best regards, Michael. From debbugs-submit-bounces@debbugs.gnu.org Wed May 09 11:47:39 2012 Received: (at 11442) by debbugs.gnu.org; 9 May 2012 15:47:39 +0000 Received: from localhost ([127.0.0.1]:43400 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SS974-0000Yt-7Q for submit@debbugs.gnu.org; Wed, 09 May 2012 11:47:39 -0400 Received: from mail-out.m-online.net ([212.18.0.10]:50467) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SS971-0000Yl-Py for 11442@debbugs.gnu.org; Wed, 09 May 2012 11:47:37 -0400 Received: from frontend1.mail.m-online.net (frontend1.mail.intern.m-online.net [192.168.8.180]) by mail-out.m-online.net (Postfix) with ESMTP id 3VnhjD6NLdz3hhVL; Wed, 9 May 2012 17:45:19 +0200 (CEST) Received: from igel.home (ppp-88-217-114-242.dynamic.mnet-online.de [88.217.114.242]) by mail.mnet-online.de (Postfix) with ESMTPA id 3VnhjC5pLdz4KK2v; Wed, 9 May 2012 17:45:19 +0200 (CEST) Received: by igel.home (Postfix, from userid 501) id 5A24CCA2AA; Wed, 9 May 2012 17:45:19 +0200 (CEST) From: Andreas Schwab To: Michael Albinus Subject: Re: bug#11442: dbus uses Emacs integer as pointer, possible core dump References: <4FAA8B59.8050207@cs.ucla.edu> <87y5p1l63u.fsf@gmx.de> X-Yow: Boys, you have ALL been selected to LEAVE th' PLANET in 15 minutes!! Date: Wed, 09 May 2012 17:45:19 +0200 In-Reply-To: <87y5p1l63u.fsf@gmx.de> (Michael Albinus's message of "Wed, 09 May 2012 17:35:49 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.96 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11442 Cc: 11442@debbugs.gnu.org, Paul Eggert X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) Michael Albinus writes: > Paul Eggert writes: > > Hi Paul, > >> The trunk version of Emacs src/dbusbind.c contains a function >> xd_get_connection_address that does this: >> >> connection = (DBusConnection *) (intptr_t) XFASTINT (val); >> >> This converts an Emacs integer to a pointer without checking >> that it is actually of the proper C type. It is possible >> for Lisp code to mistakenly put an integer there that will >> cause Emacs to dump core. > > In general, I agree with you. In the given case, it is just a pointer > address which has been written in Fdbus_init_bus. No other place is > expected to write such an address, but since it is a Lisp object, > somebody could do by mistake. Why is Vdbus_registered_buses exported to lisp? Andreas. -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5 "And now for something completely different." From debbugs-submit-bounces@debbugs.gnu.org Wed May 09 17:21:56 2012 Received: (at 11442) by debbugs.gnu.org; 9 May 2012 21:21:56 +0000 Received: from localhost ([127.0.0.1]:43648 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SSEKZ-0001kQ-C6 for submit@debbugs.gnu.org; Wed, 09 May 2012 17:21:56 -0400 Received: from mailout-de.gmx.net ([213.165.64.23]:39310) by debbugs.gnu.org with smtp (Exim 4.72) (envelope-from ) id 1SSEKX-0001kC-Fe for 11442@debbugs.gnu.org; Wed, 09 May 2012 17:21:54 -0400 Received: (qmail invoked by alias); 09 May 2012 21:19:32 -0000 Received: from p57BB9429.dip0.t-ipconnect.de (EHLO detlef.gmx.de) [87.187.148.41] by mail.gmx.net (mp033) with SMTP; 09 May 2012 23:19:32 +0200 X-Authenticated: #3708877 X-Provags-ID: V01U2FsdGVkX1+1bpJyk4m1io9vurTMmjFXGFEy+MUYbMa4Mg8fhl f8wyJhUuLMh4s7 From: Michael Albinus To: Andreas Schwab Subject: Re: bug#11442: dbus uses Emacs integer as pointer, possible core dump References: <4FAA8B59.8050207@cs.ucla.edu> <87y5p1l63u.fsf@gmx.de> Date: Wed, 09 May 2012 23:19:29 +0200 In-Reply-To: (Andreas Schwab's message of "Wed, 09 May 2012 17:45:19 +0200") Message-ID: <87mx5hqcgu.fsf@gmx.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Y-GMX-Trusted: 0 X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11442 Cc: 11442@debbugs.gnu.org, Paul Eggert X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) Andreas Schwab writes: >> In general, I agree with you. In the given case, it is just a pointer >> address which has been written in Fdbus_init_bus. No other place is >> expected to write such an address, but since it is a Lisp object, >> somebody could do by mistake. > > Why is Vdbus_registered_buses exported to lisp? Indeed, that's the question. When I wrote the new code for private buses, it was needed in dbus.el (don't remember the reason). In the final code I've committed, dbus-registered-buses isn't needed anymore on Lisp level. I've converted it to be an internal Lisp object. Paul, is this sufficient from your pov, or do we need more checks? > Andreas. Best regards, Michael. From debbugs-submit-bounces@debbugs.gnu.org Wed May 09 17:38:12 2012 Received: (at 11442-done) by debbugs.gnu.org; 9 May 2012 21:38:12 +0000 Received: from localhost ([127.0.0.1]:43652 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SSEaJ-0002AQ-Ke for submit@debbugs.gnu.org; Wed, 09 May 2012 17:38:11 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:60199) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SSEaG-0002AA-TB for 11442-done@debbugs.gnu.org; Wed, 09 May 2012 17:38:10 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 3471739E8007; Wed, 9 May 2012 14:35:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F0rhh81KwBMf; Wed, 9 May 2012 14:35:48 -0700 (PDT) Received: from penguin.cs.ucla.edu (Penguin.CS.UCLA.EDU [131.179.64.200]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 78CE739E8006; Wed, 9 May 2012 14:35:48 -0700 (PDT) Message-ID: <4FAAE333.7020606@cs.ucla.edu> Date: Wed, 09 May 2012 14:35:47 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120329 Thunderbird/11.0.1 MIME-Version: 1.0 To: Michael Albinus Subject: Re: bug#11442: dbus uses Emacs integer as pointer, possible core dump References: <4FAA8B59.8050207@cs.ucla.edu> <87y5p1l63u.fsf@gmx.de> <87mx5hqcgu.fsf@gmx.de> In-Reply-To: <87mx5hqcgu.fsf@gmx.de> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11442-done Cc: Andreas Schwab , 11442-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) On 05/09/2012 02:19 PM, Michael Albinus wrote: > I've converted it to be an internal Lisp object. Thanks; that looks good. Closing the bug. From unknown Mon Aug 18 11:09:39 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 07 Jun 2012 11:24:02 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator