GNU bug report logs - #23482
24.4; stack buffer overflow in x-send-client-message

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs; Reported by: Kalle Olavi Niemitalo <kon@HIDDEN>; Keywords: patch; dated Sun, 8 May 2016 18:19:02 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.
Added tag(s) patch. Request was from Stefan Kangas <stefan@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 23482 <at> debbugs.gnu.org:


Received: (at 23482) by debbugs.gnu.org; 10 May 2016 05:43:19 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue May 10 01:43:19 2016
Received: from localhost ([127.0.0.1]:45018 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b00Rz-0005FV-6I
	for submit <at> debbugs.gnu.org; Tue, 10 May 2016 01:43:19 -0400
Received: from sinikuusama2.dnainternet.net ([83.102.40.152]:41089)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <kon@HIDDEN>) id 1b00Rw-0005FE-Ed
 for 23482 <at> debbugs.gnu.org; Tue, 10 May 2016 01:43:17 -0400
Received: from localhost (localhost [127.0.0.1])
 by sinikuusama2.dnainternet.net (Postfix) with ESMTP id BB50FD05A
 for <23482 <at> debbugs.gnu.org>; Tue, 10 May 2016 08:43:09 +0300 (EEST)
X-Virus-Scanned: DNA Internet at dnainternet.net
X-Spam-Flag: NO
X-Spam-Score: 0.652
X-Spam-Level: 
X-Spam-Status: No, score=0.652 tagged_above=-9999 required=6
 tests=[SPF_NEUTRAL=0.652] autolearn=disabled
Received: from sinikuusama2.dnainternet.net ([83.102.40.152])
 by localhost (sinikuusama2.dnainternet.net [127.0.0.1]) (DNA Internet,
 port 10040) with ESMTP id jFb_E2KXgLGq for <23482 <at> debbugs.gnu.org>;
 Tue, 10 May 2016 08:43:09 +0300 (EEST)
Received: from omenapuu2.dnainternet.net (omenapuu2.dnainternet.net
 [83.102.40.54])
 by sinikuusama2.dnainternet.net (Postfix) with ESMTP id 7075AD0B3
 for <23482 <at> debbugs.gnu.org>; Tue, 10 May 2016 08:43:09 +0300 (EEST)
Received: from Niukka.Niemitalo.private (87-95-149-214.bb.dnainternet.fi
 [87.95.149.214])
 by omenapuu2.dnainternet.net (Postfix) with ESMTP id 406DD273
 for <23482 <at> debbugs.gnu.org>; Tue, 10 May 2016 08:43:08 +0300 (EEST)
From: Kalle Olavi Niemitalo <kon@HIDDEN>
To: 23482 <at> debbugs.gnu.org
Subject: [PATCH 22.1] Fix buffer overflow in x-send-client-message (Bug#23482).
Keywords: Emacs,patch,bit rot
In-Reply-To: <87r3dcenux.fsf@HIDDEN> (Kalle Olavi Niemitalo's
 message of "Sun, 08 May 2016 15:27:34 +0300")
References: <87r3dcenux.fsf@HIDDEN>
User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/23.0.51 (gnu/linux)
X-Accept-Language: fi;q=1.0, en;q=0.9, sv;q=0.5, de;q=0.1
Date: Tue, 10 May 2016 08:43:07 +0300
Message-ID: <87a8jyeadw.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 23482
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

The docstring already said that excessive values are ignored,
but they instead overflowed the buffer.

This does not seem a security vulnerability though, because Emacs fully
trusts Emacs Lisp code, and if some Emacs Lisp code sends client
messages based on untrusted data, then that's already a bug of its own.

2016-05-08  Kalle Olavi Niemitalo  <kon@HIDDEN>

	* xselect.c (x_fill_property_data): Add parameter NELEMENTS_MAX.
	* xterm.h (x_fill_property_data): Update prototype.
	* xselect.c (Fx_send_client_event): Update call.  This fixes
	  a buffer overflow in event.xclient.data.
	* xfns.c (Fx_change_window_property): Update call.
---
This patch is for Emacs 22.1 and includes the prominent notices
required by clause 2a of GPLv2. 
I do not intend to assign copyright to the FSF.

In Emacs 22.1, Fx_send_client_event has other bugs that this
patch does not fix.  It should clear event.xclient.data.l rather
than event.xclient.data.b, and the mask 0xffff in events sent to
the root window does not include the SubstructureNotify and
SubstructureRedirect bits required by "Extended Window Manager
Hints" version 1.1.

Date: Sun, 8 May 2016 11:33:44 +0300

 src/xfns.c    |  5 ++++-
 src/xselect.c | 17 +++++++++++++----
 src/xterm.h   |  3 +++
 3 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/src/xfns.c b/src/xfns.c
index d269dfb..00e28db 100644
--- a/src/xfns.c
+++ b/src/xfns.c
@@ -19,6 +19,8 @@ along with GNU Emacs; see the file COPYING.  If not, write to
 the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
 Boston, MA 02110-1301, USA.  */
 
+/* Modified on 2016-05-08 by Kalle Olavi Niemitalo.  */
+
 #include <config.h>
 #include <stdio.h>
 #include <math.h>
@@ -4255,7 +4257,8 @@ Value is VALUE.  */)
            converts to 32 bits before sending to the X server.  */
         data = (unsigned char *) xmalloc (nelements * sizeof(long));
 
-      x_fill_property_data (FRAME_X_DISPLAY (f), value, data, element_format);
+      x_fill_property_data (FRAME_X_DISPLAY (f), value, data, nelements,
+                            element_format);
     }
   else
     {
diff --git a/src/xselect.c b/src/xselect.c
index 3fe109a..5d4ef9c 100644
--- a/src/xselect.c
+++ b/src/xselect.c
@@ -21,6 +21,7 @@ Boston, MA 02110-1301, USA.  */
 
 
 /* Rewritten by jwz */
+/* Modified on 2016-05-08 by Kalle Olavi Niemitalo.  */
 
 #include <config.h>
 #include <stdio.h>      /* termhooks.h needs this */
@@ -2526,27 +2527,32 @@ x_check_property_data (data)
 
    DPY is the display use to look up X atoms.
    DATA is a Lisp list of values to be converted.
-   RET is the C array that contains the converted values.  It is assumed
-   it is big enough to hold all values.
+   RET is the C array that contains the converted values.
+   NELEMENTS_MAX is the number of values that will fit in RET.
+   Any excess values in DATA are ignored.
    FORMAT is 8, 16 or 32 and denotes char/short/long for each C value to
    be stored in RET.  Note that long is used for 32 even if long is more
    than 32 bits (see man pages for XChangeProperty, XGetWindowProperty and
    XClientMessageEvent).  */
 
 void
-x_fill_property_data (dpy, data, ret, format)
+x_fill_property_data (dpy, data, ret, nelements_max, format)
      Display *dpy;
      Lisp_Object data;
      void *ret;
+     int nelements_max;
      int format;
 {
   long val;
   long  *d32 = (long  *) ret;
   short *d16 = (short *) ret;
   char  *d08 = (char  *) ret;
+  int nelements;
   Lisp_Object iter;
 
-  for (iter = data; CONSP (iter); iter = XCDR (iter))
+  for (iter = data, nelements = 0;
+       CONSP (iter) && nelements < nelements_max;
+       iter = XCDR (iter), nelements++)
     {
       Lisp_Object o = XCAR (iter);
 
@@ -2883,7 +2889,10 @@ are ignored.  */)
 
 
   memset (event.xclient.data.b, 0, sizeof (event.xclient.data.b));
+
+  /* event.xclient.data can hold 20 chars, 10 shorts, or 5 longs.  */
   x_fill_property_data (dpyinfo->display, values, event.xclient.data.b,
+                        5 * 32 / event.xclient.format,
                         event.xclient.format);
 
   /* If event mask is 0 the event is sent to the client that created
diff --git a/src/xterm.h b/src/xterm.h
index 13b0b49..968ead7 100644
--- a/src/xterm.h
+++ b/src/xterm.h
@@ -19,6 +19,8 @@ along with GNU Emacs; see the file COPYING.  If not, write to
 the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
 Boston, MA 02110-1301, USA.  */
 
+/* Modified on 2016-05-08 by Kalle Olavi Niemitalo.  */
+
 #include <X11/Xlib.h>
 #include <X11/cursorfont.h>
 
@@ -1032,6 +1034,7 @@ extern int x_check_property_data P_ ((Lisp_Object));
 extern void x_fill_property_data P_ ((Display *,
                                       Lisp_Object,
                                       void *,
+                                      int,
                                       int));
 extern Lisp_Object x_property_data_to_lisp P_ ((struct frame *,
                                                 unsigned char *,
-- 
2.1.4





Information forwarded to bug-gnu-emacs@HIDDEN:
bug#23482; Package emacs. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 8 May 2016 18:18:08 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun May 08 14:18:08 2016
Received: from localhost ([127.0.0.1]:43425 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1azTHM-0006Hp-1t
	for submit <at> debbugs.gnu.org; Sun, 08 May 2016 14:18:08 -0400
Received: from eggs.gnu.org ([208.118.235.92]:55262)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <kon@HIDDEN>) id 1azNoW-0006Yo-EF
 for submit <at> debbugs.gnu.org; Sun, 08 May 2016 08:28:03 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <kon@HIDDEN>) id 1azNoP-00063T-FM
 for submit <at> debbugs.gnu.org; Sun, 08 May 2016 08:27:55 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:50660)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <kon@HIDDEN>)
 id 1azNoP-00063G-CD
 for submit <at> debbugs.gnu.org; Sun, 08 May 2016 08:27:53 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46224)
 by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <kon@HIDDEN>)
 id 1azNoM-0003VZ-Q2
 for bug-gnu-emacs@HIDDEN; Sun, 08 May 2016 08:27:52 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <kon@HIDDEN>) id 1azNoH-00062p-Ls
 for bug-gnu-emacs@HIDDEN; Sun, 08 May 2016 08:27:50 -0400
Received: from tulikuusama2.dnainternet.net ([83.102.40.151]:51484)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <kon@HIDDEN>)
 id 1azNoH-00062P-5X
 for bug-gnu-emacs@HIDDEN; Sun, 08 May 2016 08:27:45 -0400
Received: from localhost (localhost [127.0.0.1])
 by tulikuusama2.dnainternet.net (Postfix) with ESMTP id 6682F1A23
 for <bug-gnu-emacs@HIDDEN>; Sun,  8 May 2016 15:27:37 +0300 (EEST)
X-Virus-Scanned: DNA Internet at dnainternet.net
Received: from tulikuusama2.dnainternet.net ([83.102.40.151])
 by localhost (tulikuusama2.dnainternet.net [127.0.0.1]) (DNA Internet,
 port 10040) with ESMTP id 4x72Bt5XBDck for <bug-gnu-emacs@HIDDEN>;
 Sun,  8 May 2016 15:27:36 +0300 (EEST)
Received: from omenapuu2.dnainternet.net (omenapuu2.dnainternet.net
 [83.102.40.54])
 by tulikuusama2.dnainternet.net (Postfix) with ESMTP id AD98818FD
 for <bug-gnu-emacs@HIDDEN>; Sun,  8 May 2016 15:27:36 +0300 (EEST)
Received: from Niukka.Niemitalo.private (87-95-16-197.bb.dnainternet.fi
 [87.95.16.197])
 by omenapuu2.dnainternet.net (Postfix) with ESMTP id 68766273
 for <bug-gnu-emacs@HIDDEN>; Sun,  8 May 2016 15:27:35 +0300 (EEST)
From: Kalle Olavi Niemitalo <kon@HIDDEN>
To: bug-gnu-emacs@HIDDEN
Subject: 24.4; stack buffer overflow in x-send-client-message
User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/23.0.51 (gnu/linux)
X-Accept-Language: fi;q=1.0, en;q=0.9, sv;q=0.5, de;q=0.1
Date: Sun, 08 May 2016 15:27:34 +0300
Message-ID: <87r3dcenux.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.4 (----)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Sun, 08 May 2016 14:18:06 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.4 (----)

Start emacs -Q in X, copy the following form to the *scratch*
buffer, and press C-j to evaluate it.  The process then crashes
and glibc reports "stack smashing detected".

(x-send-client-message nil nil nil "foo" 32 (make-list 100 0))

Although the docstring of x-send-client-message claims that
excessive values are ignored, they are actually copied to the
event.xclient.data buffer.  This bug was caused in February 2004
when Fx_send_client_event was moved from xfns.c to xselect.c
and the x_fill_property_data function was added.

This does not seem a security vulnerability though, because Emacs
fully trusts Emacs Lisp code, and if some Emacs Lisp code sends
client messages based on untrusted data, then that's already a
bug of its own.

In my fork, I fixed this by adding a nelements_max parameter to
x_fill_property_data.

In GNU Emacs 24.4.1 (x86_64-pc-linux-gnu, GTK+ Version 3.14.5)
 of 2015-03-07 on trouble, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.11604000
System Description:	Debian GNU/Linux 8.4 (jessie)

Configured using:
 `configure --build x86_64-linux-gnu --prefix=/usr
 --sharedstatedir=/var/lib --libexecdir=/usr/lib
 --localstatedir=/var/lib --infodir=/usr/share/info
 --mandir=/usr/share/man --with-pop=yes
 --enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.4/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.4/site-lisp:/usr/share/emacs/site-lisp
 --build x86_64-linux-gnu --prefix=/usr --sharedstatedir=/var/lib
 --libexecdir=/usr/lib --localstatedir=/var/lib
 --infodir=/usr/share/info --mandir=/usr/share/man --with-pop=yes
 --enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.4/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.4/site-lisp:/usr/share/emacs/site-lisp
 --with-x=yes --with-x-toolkit=gtk3 --with-toolkit-scroll-bars
 'CFLAGS=-g -O2 -fstack-protector-strong -Wformat
 -Werror=format-security -Wall' CPPFLAGS=-D_FORTIFY_SOURCE=2
 LDFLAGS=-Wl,-z,relro'

Important settings:
  value of $LANG: fi_FI.utf8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Recent input:
M-x r e p o r t SPC e m a c s SPC b u g <return>

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.

Load-path shadows:
None found.

Features:
(shadow sort gnus-util mail-extr emacsbug message format-spec rfc822 mml
easymenu mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231
mailabbrev gmm-utils mailheader sendmail rfc2047 rfc2045 ietf-drums
mm-util help-fns mail-prsvr mail-utils time-date tooltip electric
uniquify ediff-hook vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar
dnd fontset image regexp-opt fringe tabulated-list newcomment lisp-mode
prog-mode register page menu-bar rfn-eshadow timer select scroll-bar
mouse jit-lock font-lock syntax facemenu font-core frame cham georgian
utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean
japanese hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev
minibuffer nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote make-network-process
dbusbind gfilenotify dynamic-setting system-font-setting
font-render-setting move-toolbar gtk x-toolkit x multi-tty emacs)

Memory information:
((conses 16 71460 7916)
 (symbols 48 17673 0)
 (miscs 40 38 113)
 (strings 32 9157 4731)
 (string-bytes 1 250735)
 (vectors 16 8949)
 (vector-slots 8 385259 16186)
 (floats 8 63 68)
 (intervals 56 255 50)
 (buffers 960 11)
 (heap 1024 40257 948))





Acknowledgement sent to Kalle Olavi Niemitalo <kon@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to bug-gnu-emacs@HIDDEN:
bug#23482; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sun, 19 Jan 2020 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.