GNU bug report logs - #58042
29.0.50; ASAN use-after-free in re_match_2_internal

Previous Next

Package: emacs;

Reported by: Gerd Möllmann <gerd.moellmann <at> gmail.com>

Date: Sat, 24 Sep 2022 13:46:01 UTC

Severity: normal

Found in version 29.0.50

Fixed in version 29.1

Done: Gerd Möllmann <gerd.moellmann <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #77 received at 58042 <at> debbugs.gnu.org (full text, mbox):

From: Po Lu <luangruo <at> yahoo.com>
To: Gerd Möllmann <gerd.moellmann <at> gmail.com>
Cc: Eli Zaretskii <eliz <at> gnu.org>, 58042 <at> debbugs.gnu.org,
 Alan Third <alan <at> idiocy.org>
Subject: Re: bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
Date: Wed, 05 Oct 2022 18:43:55 +0800

Gerd Möllmann <gerd.moellmann <at> gmail.com> writes:

>> Isn't the -[EmacsView layoutSublayersOfLayer:] the problem?  AFAICT from
>> a web search, this is an event handler method that is also called from
>> by the framework?
>>
>> In the olden days, it was a serious error to call into Lisp from an
>> event handler.  All bets were off when that happened, not only related
>> to GC.  I believe that hasn't changed much.

Today, event handling code calls Lisp all the time (through safe_call
etc.)  That happens in handle_one_xevent, ns_select, et cetera.

It shouldn't affect GC at all because input is blocked for the entire
duration of each GC, except for when finalizers are run after unmarked
objects are sweeped.

So AFAIU it has been safe ever since read_socket_hook stopped being
called from a signal handler.

>> That code was introduced by Alan around this time.
>>
>> 1ba02d85a964e1b2c6a9735cd3decdc524e06dc1
>> Author:     Alan Third <alan <at> idiocy.org>
>> AuthorDate: Sat Jun 12 10:25:47 2021 +0100
>> Commit:     Alan Third <alan <at> idiocy.org>
>> CommitDate: Sat Jul 31 11:13:05 2021 +0100
>>
>> Maybe Allen can say something, I've CC'd him.
>>
>> Or maybe we should add your fix, too?
>
> And a similar question to Po Lu because of
>
> f81065a91be5a54b78e202df6918aff443588ae1
> Author:     Po Lu <luangruo <at> yahoo.com>
> AuthorDate: Mon May 30 16:03:11 2022 +0800
> Commit:     Po Lu <luangruo <at> yahoo.com>
> CommitDate: Mon May 30 16:03:11 2022 +0800
>
> which added a call to redisplay to - (NSDragOperation) draggingUpdated:
> (id <NSDraggingInfo>) sender.  Is that safe here?

It should be safe there since we use safe_call, as the only problem
these days is that it isn't safe to longjmp out of an NS event handler.
This bug report was last modified 2 years and 72 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.