GNU bug report logs - #58042
29.0.50; ASAN use-after-free in re_match_2_internal

Previous Next

Package: emacs;

Reported by: Gerd Möllmann <gerd.moellmann <at> gmail.com>

Date: Sat, 24 Sep 2022 13:46:01 UTC

Severity: normal

Found in version 29.0.50

Fixed in version 29.1

Done: Gerd Möllmann <gerd.moellmann <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #176 received at 58042 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Gerd Möllmann <gerd.moellmann <at> gmail.com>
Cc: 58042 <at> debbugs.gnu.org
Subject: Re: bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
Date: Thu, 06 Oct 2022 09:59:21 +0300

> From: Gerd Möllmann <gerd.moellmann <at> gmail.com>
> Date: Thu, 06 Oct 2022 07:35:26 +0200
> 
> Can we come to a decision about what to do with probably_quit, based
> what we know now?  The threads under this bug are a bit deep and
> complicated, so I'd like to make this a bit more visible.
> 
> I think the problem has been analyized to be:
> 
> 1. The re_matcher uses char* pointer P into data of string S.
> 2. The re_matcher uses maybe_quit
> 3. maybe_quit can call garbage_collect
> 4. garbage_collect can call Lisp (finalizers, redisplay)
> (4a. That Lisp can again garbage_collect)
> 5. One of the GCs can relocate the string data of S in step 1.
> 6. P is then invalid.
> 
> Possible solution:
> 
> Inhibit GC in probably_quit, so that P remains valid.
> 
> Q: Should we do that?

IMO, yes.

> And if so, when?

"Now"?

This bug report was last modified 2 years and 72 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #58042 29.0.50; ASAN use-after-free in re_match_2_internal

GNU bug report logs - #58042
29.0.50; ASAN use-after-free in re_match_2_internal