GNU bug report logs - #58042
29.0.50; ASAN use-after-free in re_match_2_internal

Previous Next

Package: emacs;

Reported by: Gerd Möllmann <gerd.moellmann <at> gmail.com>

Date: Sat, 24 Sep 2022 13:46:01 UTC

Severity: normal

Found in version 29.0.50

Fixed in version 29.1

Done: Gerd Möllmann <gerd.moellmann <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Gerd Möllmann <gerd.moellmann <at> gmail.com>
To: 58042 <at> debbugs.gnu.org
Subject: bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal 
Date: Thu, 06 Oct 2022 07:35:26 +0200

Can we come to a decision about what to do with probably_quit, based
what we know now?  The threads under this bug are a bit deep and
complicated, so I'd like to make this a bit more visible.

I think the problem has been analyized to be:

1. The re_matcher uses char* pointer P into data of string S.
2. The re_matcher uses maybe_quit
3. maybe_quit can call garbage_collect
4. garbage_collect can call Lisp (finalizers, redisplay)
(4a. That Lisp can again garbage_collect)
5. One of the GCs can relocate the string data of S in step 1.
6. P is then invalid.

Possible solution:

Inhibit GC in probably_quit, so that P remains valid.

Q: Should we do that?  And if so, when?

This bug report was last modified 2 years and 73 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #58042 29.0.50; ASAN use-after-free in re_match_2_internal

GNU bug report logs - #58042
29.0.50; ASAN use-after-free in re_match_2_internal