GNU bug report logs -
#20756
25.0.50; struct selection_input_event data might be corrupted by assignments as another structure type
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 20756 in the body.
You can then email your comments to 20756 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20756; Package
emacs.
(Sun, 07 Jun 2015 08:14:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
YAMAMOTO Mitsuharu <mituharu <at> math.s.chiba-u.ac.jp>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Sun, 07 Jun 2015 08:14:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
On X11, each element of `kbd_buffer' is implicitly used as a union of
two structure types: `struct input_event' (in termhooks.h) for general
use and `struct selection_input_event' (in xterm.h) for selection
events. These types have different layouts, especially with respect
to paddings. But elements of `kbd_buffer' are copied via assignments
for one structure type, `struct input_event', in several places in
keyboard.c. For example,
3685 /* Put an input event back in the head of the event queue. */
3686
3687 void
3688 kbd_buffer_unget_event (register struct input_event *event)
3689 {
3690 if (kbd_fetch_ptr == kbd_buffer)
3691 kbd_fetch_ptr = kbd_buffer + KBD_BUFFER_SIZE;
3692
3693 /* Don't let the very last slot in the buffer become full, */
3694 if (kbd_fetch_ptr - 1 != kbd_store_ptr)
3695 {
3696 --kbd_fetch_ptr;
3697 *kbd_fetch_ptr = *event;
3698 }
3699 }
This is problematic because structure copy via assignments may not
preserve the contents of the paddings in general, and they might
contain sensitive information for the other structure, `struct
selection_input_event'.
Actually, I can reproduce the crash with `C-w' on a 64-bit executable
compiled with the following version of llvm-gcc for OS X 10.7:
i686-apple-darwin11-llvm-gcc-4.2 (GCC) 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.11.00)
The disassembly output below shows that 4 bytes from 12-byte offset
are not copied. These correspond to a part of `dpyinfo' member in
`struct selection_input_event', and it gets corrupted.
_kbd_buffer_unget_event:
00000000000001d0 pushq %rbp
00000000000001d1 movq %rsp, %rbp
00000000000001d4 leaq (%rip), %rax
00000000000001db movq (%rip), %rcx
00000000000001e2 cmpq %rax, %rcx
00000000000001e5 jne 0x1f5
00000000000001e7 leaq 229376(%rip), %rcx
00000000000001ee movq %rcx, (%rip)
00000000000001f5 leaq -56(%rcx), %rax
00000000000001f9 cmpq (%rip), %rax
0000000000000200 je 0x242
0000000000000202 movq %rax, (%rip)
0000000000000209 movl (%rdi), %eax
000000000000020b movl %eax, -56(%rcx)
000000000000020e movl 4(%rdi), %eax
0000000000000211 movl %eax, -52(%rcx)
0000000000000214 movl 8(%rdi), %eax
0000000000000217 movl %eax, -48(%rcx)
000000000000021a movq 16(%rdi), %rax
000000000000021e movq %rax, -40(%rcx)
0000000000000222 movq 24(%rdi), %rax
0000000000000226 movq %rax, -32(%rcx)
000000000000022a movq 32(%rdi), %rax
000000000000022e movq %rax, -24(%rcx)
0000000000000232 movq 40(%rdi), %rax
0000000000000236 movq %rax, -16(%rcx)
000000000000023a movq 48(%rdi), %rax
000000000000023e movq %rax, -8(%rcx)
0000000000000242 popq %rbp
0000000000000243 ret
0000000000000244 nopw (%rax,%rax)
000000000000024a nopw (%rax,%rax)
YAMAMOTO Mitsuharu
mituharu <at> math.s.chiba-u.ac.jp
In GNU Emacs 25.0.50.1 (x86_64-apple-darwin11.4.2, GTK+ Version 3.16.3)
of 2015-06-07 on yamamoto-no-MacBook-Air.local
Windowing system distributor `The X.Org Foundation', version 11.0.11006000
Configured using:
`configure LDFLAGS=-L/opt/local/lib CPPFLAGS=-I/opt/local/include'
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20756; Package
emacs.
(Tue, 23 Jun 2015 23:45:05 GMT)
Full text and
rfc822 format available.
Message #8 received at 20756 <at> debbugs.gnu.org (full text, mbox):
Thanks for tracking down and diagnosing this bug. I've installed a patch as
commit 1552e6737317ea2c85e06600e178114c6b0f9fb2 in emacs master; can you please
try it in your environment?
It's possible, I suppose, that this fix will affect Bug#13486 and Bug#17026
(merged with Bug#16737, Bug#17101, Bug#17172, Bug#19320, Bug#20283). Ideally
those bugs would go away too, though this is a shot in the dark. Anyway, I'll
CC: to those bug reports to give their followers a heads-up.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20756; Package
emacs.
(Wed, 24 Jun 2015 00:57:03 GMT)
Full text and
rfc822 format available.
Message #11 received at 20756 <at> debbugs.gnu.org (full text, mbox):
>>>>> On Tue, 23 Jun 2015 16:44:26 -0700, Paul Eggert <eggert <at> cs.ucla.edu> said:
> Thanks for tracking down and diagnosing this bug. I've installed a
> patch as commit 1552e6737317ea2c85e06600e178114c6b0f9fb2 in emacs
> master; can you please try it in your environment?
Thanks for looking into this. But it doesn't build as it is in the
original environment: OS X 10.7, and the following version of llvm-gcc
i686-apple-darwin11-llvm-gcc-4.2 (GCC) 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.11.00)
The error message is:
gcc -std=gnu99 -c -I/opt/local/include -Demacs -I. -I../../../emacs/trunk/src -I../lib -I../../../emacs/trunk/lib -D_REENTRANT -I/opt/local/include/gtk-3.0 -I/opt/local/include/at-spi2-atk/2.0 -I/opt/local/include/at-spi-2.0 -I/opt/local/include/dbus-1.0 -I/opt/local/lib/dbus-1.0/include -I/opt/local/include/gtk-3.0 -I/opt/local/include/gio-unix-2.0/ -I/opt/local/include -I/opt/local/include/cairo -I/opt/local/include -I/opt/local/include/pango-1.0 -I/opt/local/include/harfbuzz -I/opt/local/include/pango-1.0 -I/opt/local/include/atk-1.0 -I/opt/local/include/cairo -I/opt/local/include/pixman-1 -I/opt/local/include -I/opt/local/include/freetype2 -I/opt/local/include -I/opt/local/include/freetype2 -I/opt/local/include -I/opt/local/include/libpng16 -I/opt/local/include -I/opt/local/include/gdk-pixbuf-2.0 -I/opt/local/include/libpng16 -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include -I/opt/local/include -I/opt/local/include -I/opt/local/include/freetype2 -I/opt/local/include -I/opt/local/include/freetype2 -I/opt/local/include -I/opt/local/include/libpng16 -I/opt/local/include -D_REENTRANT -I/opt/local/include/librsvg-2.0 -I/opt/local/include/gdk-pixbuf-2.0 -I/opt/local/include/libpng16 -I/opt/local/include/cairo -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include -I/opt/local/include -I/opt/local/include/pixman-1 -I/opt/local/include -I/opt/local/include/freetype2 -I/opt/local/include -I/opt/local/include/freetype2 -I/opt/local/include -I/opt/local/include/libpng16 -I/opt/local/include -DMAGICKCORE_HDRI_ENABLE=0 -DMAGICKCORE_QUANTUM_DEPTH=16 -DMAGICKCORE_HDRI_ENABLE=0 -DMAGICKCORE_QUANTUM_DEPTH=16 -I/opt/local/include/ImageMagick-6 -I/opt/local/include/libpng16 -I/opt/local/include/libxml2 -I/opt/local/include/dbus-1.0 -I/opt/local/lib/dbus-1.0/include -I/opt/local/include -I/opt/local/include -I/opt/local/include -D_REENTRANT -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include -I/opt/local/include -DORBIT2=1 -D_REENTRANT -I/opt/local/include/gconf/2 -I/opt/local/include/orbit-2.0 -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include -I/opt/local/include -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include -I/opt/local/include -I/opt/local/include/freetype2 -I/opt/local/include -I/opt/local/include/libpng16 -I/opt/local/include -I/opt/local/include/freetype2 -I/opt/local/include -I/opt/local/include/freetype2 -I/opt/local/include -I/opt/local/include/libpng16 -MMD -MF deps/dispnew.d -MP -I/opt/local/include -I/opt/local/include/p11-kit-1 -I/opt/local/include -D_REENTRANT -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include -I/opt/local/include -g3 -O2 ../../../emacs/trunk/src/dispnew.c
In file included from ../../../emacs/trunk/src/dispnew.c:33:
../../../emacs/trunk/src/keyboard.h: In function ‘kbd_buffer_store_event_hold’:
../../../emacs/trunk/src/keyboard.h:461: error: expected specifier-qualifier-list before ‘*’ token
../../../emacs/trunk/src/keyboard.h:461: error: ‘struct <anonymous>’ has no member named ‘__b’
../../../emacs/trunk/src/keyboard.h:461: error: expected specifier-qualifier-list before ‘*’ token
../../../emacs/trunk/src/keyboard.h:461: error: ‘struct <anonymous>’ has no member named ‘__b’
../../../emacs/trunk/src/keyboard.h:461: error: bit-field ‘_gl_verify_error_if_negative’ width not an integer constant
make: *** [dispnew.o] Error 1
The output of gcc -E for the corresponding part is:
kbd_buffer_store_event_hold (struct input_event *event,
struct input_event *hold_quit)
{
union buffered_input_event *ev = (union buffered_input_event *) event;
extern int (*_gl_verify_function461 (void)) [(!!sizeof (struct { unsigned int _gl_verify_error_if_negative: (sizeof *event == sizeof *ev && __builtin_offsetof (struct { char __a; *event __b; }, __b) == __builtin_offsetof (struct { char __a; *ev __b; }, __b)) ? 1 : -1; }))];
return kbd_buffer_store_buffered_event ((union buffered_input_event *) event,
hold_quit);
}
If I comment out the line for the "verify" macro, the it successfully
builds and runs without crash.
YAMAMOTO Mitsuharu
mituharu <at> math.s.chiba-u.ac.jp
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20756; Package
emacs.
(Wed, 24 Jun 2015 01:06:03 GMT)
Full text and
rfc822 format available.
Message #14 received at 20756 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
YAMAMOTO Mitsuharu wrote:
> ../../../emacs/trunk/src/keyboard.h:461: error: expected specifier-qualifier-list before ‘*’ token
Thanks, it appears I was assuming C11 semantics that clang doesn't support. I
installed the attached further patch, which worked for me with clang
3.6.0-2ubuntu1 (Ubuntu 15.04).
[0001-Port-selection-info-fix-to-clang.patch (text/x-diff, attachment)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20756; Package
emacs.
(Wed, 24 Jun 2015 01:21:07 GMT)
Full text and
rfc822 format available.
Message #17 received at 20756 <at> debbugs.gnu.org (full text, mbox):
>>>>> On Tue, 23 Jun 2015 18:05:27 -0700, Paul Eggert <eggert <at> cs.ucla.edu> said:
> YAMAMOTO Mitsuharu wrote:
>> ../../../emacs/trunk/src/keyboard.h:461: error: expected specifier-qualifier-list before ‘*’ token
> Thanks, it appears I was assuming C11 semantics that clang doesn't support. I
> installed the attached further patch, which worked for me with clang
> 3.6.0-2ubuntu1 (Ubuntu 15.04).
It now builds and works for me, too. Thanks again.
YAMAMOTO Mitsuharu
mituharu <at> math.s.chiba-u.ac.jp
Added tag(s) fixed.
Request was from
Noam Postavsky <npostavs <at> users.sourceforge.net>
to
control <at> debbugs.gnu.org.
(Wed, 01 Jun 2016 14:55:02 GMT)
Full text and
rfc822 format available.
bug closed, send any further explanations to
20756 <at> debbugs.gnu.org and YAMAMOTO Mitsuharu <mituharu <at> math.s.chiba-u.ac.jp>
Request was from
Noam Postavsky <npostavs <at> users.sourceforge.net>
to
control <at> debbugs.gnu.org.
(Wed, 01 Jun 2016 14:55:03 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 30 Jun 2016 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 8 years and 359 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.