GNU bug report logs - #42530
28.0.50; Integer overflows in alloc.c on macOS

Previous Next

Package: emacs;

Reported by: Philipp <p.stephani2 <at> gmail.com>

Date: Sat, 25 Jul 2020 17:21:02 UTC

Severity: normal

Found in version 28.0.50

Fixed in version 28.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 42530 in the body.
You can then email your comments to 42530 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#42530; Package emacs. (Sat, 25 Jul 2020 17:21:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Philipp <p.stephani2 <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Sat, 25 Jul 2020 17:21:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Philipp <p.stephani2 <at> gmail.com>
To: bug-gnu-emacs <at> gnu.org
Subject: 28.0.50; Integer overflows in alloc.c on macOS
Date: Sat, 25 Jul 2020 19:20:07 +0200

-fsanitize=undefined finds the following integer overflows in alloc.c:

alloc.c:4641:33: runtime error: addition of unsigned offset to 0x000102496c05 overflowed to 0x000102496c00
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4641:33 in 
alloc.c:4852:9: runtime error: pointer index expression with base 0xffffffffffffffff overflowed to 0x00010344053f
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4852:9 in 

I briefly checked the code, but couldn't find anything obviously wrong.
Note that UBSan also checks for unsigned integer overflows, which are
technically not undefined, but might still be fishy.  If these overflows
are intended, we should probably use INT_ADD_WRAPV to make that clear
and suppress the sanitizer.


In GNU Emacs 28.0.50 (build 66, x86_64-apple-darwin19.5.0, NS appkit-1894.50 Version 10.15.5 (Build 19F101))
 of 2020-07-25
Repository revision: 3b44829823f43d3736b8ec9db2258eeff7f6c16a
Repository branch: master
Windowing system distributor 'Apple', version 10.3.1894
System Description:  Mac OS X 10.15.5

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.

Configured using:
 'configure --with-modules --without-xml2 --without-pop --with-mailutils
 --enable-gcc-warnings=warn-only --enable-checking=all
 --enable-check-lisp-object-type 'CFLAGS=-g3 -O1 -fsanitize=address
 -fsanitize=undefined -fno-omit-frame-pointer''

Configured features:
JPEG TIFF GIF PNG NOTIFY KQUEUE ACL GNUTLS ZLIB TOOLKIT_SCROLL_BARS NS
MODULES THREADS JSON PDUMPER LCMS2

Important settings:
  value of $LANG: de_DE.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message rmc dired dired-loaddefs rfc822
mml easymenu mml-sec epa epg epg-config gnus-util rmail rmail-loaddefs
text-property-search time-date mm-decode mm-bodies mm-encode mail-parse
rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047 rfc2045
ietf-drums mm-util mail-prsvr mail-utils phst skeleton derived edmacro
kmacro pcase ffap thingatpt url url-proxy url-privacy url-expand
url-methods url-history url-cookie url-domsuf url-util url-parse
auth-source cl-seq eieio eieio-core cl-macs eieio-loaddefs
password-cache json map url-vars mailcap subr-x rx gnutls puny seq
byte-opt gv bytecomp byte-compile cconv dbus xml compile comint
ansi-color ring cl-loaddefs cl-lib tooltip eldoc electric uniquify
ediff-hook vc-hooks lisp-float-type mwheel term/ns-win ns-win
ucs-normalize mule-util term/common-win tool-bar dnd fontset image
regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode
lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow isearch
timer select scroll-bar mouse jit-lock font-lock syntax facemenu
font-core term/tty-colors frame minibuffer cl-generic cham georgian
utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean
japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european
ethiopic indian cyrillic chinese composite charscript charprop
case-table epa-hook jka-cmpr-hook help simple abbrev obarray
cl-preloaded nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote threads kqueue cocoa ns
lcms2 multi-tty make-network-process emacs)

Memory information:
((conses 16 69705 5415)
 (symbols 48 8650 1)
 (strings 32 23527 1769)
 (string-bytes 1 768093)
 (vectors 16 14130)
 (vector-slots 8 172256 4253)
 (floats 8 25 30)
 (intervals 56 210 0)
 (buffers 992 10))
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#42530; Package emacs. (Sat, 17 Oct 2020 09:07:01 GMT) Full text and rfc822 format available.

Message #8 received at 42530 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Philipp <p.stephani2 <at> gmail.com>
Cc: 42530 <at> debbugs.gnu.org
Subject: Re: bug#42530: 28.0.50; Integer overflows in alloc.c on macOS
Date: Sat, 17 Oct 2020 11:05:55 +0200

Philipp <p.stephani2 <at> gmail.com> writes:

> -fsanitize=undefined finds the following integer overflows in alloc.c:
>
> alloc.c:4641:33: runtime error: addition of unsigned offset to 0x000102496c05 overflowed to 0x000102496c00
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4641:33 in 
> alloc.c:4852:9: runtime error: pointer index expression with base 0xffffffffffffffff overflowed to 0x00010344053f
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4852:9 in 

How do you reproduce this?  I tried

./configure CFLAGS='-g3 -O1 -fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer' --with-modules --without-xml2 --without-pop --with-mailutils --enable-gcc-warnings=warn-only --enable-checking=all --enable-check-lisp-object-type 

and then started Emacs (on Catalina), but didn't get any errors as far
as I can see.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#42530; Package emacs. (Sat, 17 Oct 2020 12:13:02 GMT) Full text and rfc822 format available.

Message #11 received at 42530 <at> debbugs.gnu.org (full text, mbox):

From: Philipp Stephani <p.stephani2 <at> gmail.com>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: 42530 <at> debbugs.gnu.org
Subject: Re: bug#42530: 28.0.50; Integer overflows in alloc.c on macOS
Date: Sat, 17 Oct 2020 14:12:03 +0200

Am Sa., 17. Okt. 2020 um 11:06 Uhr schrieb Lars Ingebrigtsen <larsi <at> gnus.org>:
>
> Philipp <p.stephani2 <at> gmail.com> writes:
>
> > -fsanitize=undefined finds the following integer overflows in alloc.c:
> >
> > alloc.c:4641:33: runtime error: addition of unsigned offset to 0x000102496c05 overflowed to 0x000102496c00
> > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4641:33 in
> > alloc.c:4852:9: runtime error: pointer index expression with base 0xffffffffffffffff overflowed to 0x00010344053f
> > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4852:9 in
>
> How do you reproduce this?  I tried
>
> ./configure CFLAGS='-g3 -O1 -fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer' --with-modules --without-xml2 --without-pop --with-mailutils --enable-gcc-warnings=warn-only --enable-checking=all --enable-check-lisp-object-type
>
> and then started Emacs (on Catalina), but didn't get any errors as far
> as I can see.

According to 'git bisect' this was fixed by

commit 069b58b7c852b59f8ef7642e21db339626045671
Author: Philipp Stephani <phst <at> google.com>
Date:   Sun Aug 2 12:58:44 2020 +0200

    * src/alloc.c (mark_memory): Avoid signed integer overflow

 src/alloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

and probably other commits around that time.
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#42530; Package emacs. (Sun, 18 Oct 2020 08:16:02 GMT) Full text and rfc822 format available.

Message #14 received at 42530 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Philipp Stephani <p.stephani2 <at> gmail.com>
Cc: 42530 <at> debbugs.gnu.org
Subject: Re: bug#42530: 28.0.50; Integer overflows in alloc.c on macOS
Date: Sun, 18 Oct 2020 10:15:26 +0200

Philipp Stephani <p.stephani2 <at> gmail.com> writes:

> According to 'git bisect' this was fixed by
>
> commit 069b58b7c852b59f8ef7642e21db339626045671
> Author: Philipp Stephani <phst <at> google.com>
> Date:   Sun Aug 2 12:58:44 2020 +0200
>
>     * src/alloc.c (mark_memory): Avoid signed integer overflow
>
>  src/alloc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> and probably other commits around that time.

Thanks; I'm closing this bug report, then.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
bug marked as fixed in version 28.1, send any further explanations to 42530 <at> debbugs.gnu.org and Philipp <p.stephani2 <at> gmail.com> Request was from Lars Ingebrigtsen <larsi <at> gnus.org> to control <at> debbugs.gnu.org. (Sun, 18 Oct 2020 08:16:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 15 Nov 2020 12:24:05 GMT) Full text and rfc822 format available.
This bug report was last modified 3 years and 163 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.