GNU bug report logs - #62039
Emacs crashes while parsing a long Emacs Lisp string

Previous Next

Package: emacs;

Reported by: Bruno Haible <bruno <at> clisp.org>

Date: Tue, 7 Mar 2023 21:53:01 UTC

Severity: normal

Done: Mattias Engdegård <mattiase <at> acm.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 62039 in the body.
You can then email your comments to 62039 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#62039; Package emacs. (Tue, 07 Mar 2023 21:53:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bruno Haible <bruno <at> clisp.org>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Tue, 07 Mar 2023 21:53:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Bruno Haible <bruno <at> clisp.org>
To: bug-gnu-emacs <at> gnu.org
Subject: Emacs crashes while parsing a long Emacs Lisp string
Date: Tue, 07 Mar 2023 22:51:58 +0100
[Message part 1 (text/plain, inline)]
When parsing a particular long Emacs Lisp string, Emacs crashes.

How to reproduce:

$ emacs -Q -batch -f batch-byte-compile foo.el
Segmentation fault

Find attached the compressed file foo.el.

Emacs version: 27.1
Platform: x86_64-linux-gnu
$ ulimit -a | grep stack
stack size                  (kbytes, -s) 8192

According to the documentation
https://www.gnu.org/software/emacs/manual/html_node/emacs/Bug-Criteria.html
any segmentation fault is a bug.

I haven't analyzed the security impact of this bug, but it is quite possible
that emacs receives a string through the network, and even though the string
is not meant to be evaluated, simply parsing it causes a denial-of-service
to the emacs user.

The cause of the bug is that in emacs/src/lread.c the function read_escape()
is recursive, and no bound on the recursion depth is enforced.

[foo.el.gz (application/gzip, attachment)]

Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#62039; Package emacs. (Wed, 08 Mar 2023 09:41:01 GMT) Full text and rfc822 format available.

Message #8 received at 62039 <at> debbugs.gnu.org (full text, mbox):

From: Mattias Engdegård <mattiase <at> acm.org>
To: Bruno Haible <bruno <at> clisp.org>
Cc: 62039 <at> debbugs.gnu.org
Subject: bug#62039: Emacs crashes while parsing a long Emacs Lisp string
Date: Wed, 8 Mar 2023 10:39:53 +0100
> The cause of the bug is that in emacs/src/lread.c the function read_escape() is recursive, and no bound on the recursion depth is enforced. 

Dear me, I meant to remove that recursion during the last reader renovation but got sidetracked.

Will fix. Thank you very much for noticing and reporting this bug.





Reply sent to Mattias Engdegård <mattiase <at> acm.org>:
You have taken responsibility. (Sat, 11 Mar 2023 09:26:02 GMT) Full text and rfc822 format available.

Notification sent to Bruno Haible <bruno <at> clisp.org>:
bug acknowledged by developer. (Sat, 11 Mar 2023 09:26:02 GMT) Full text and rfc822 format available.

Message #13 received at 62039-done <at> debbugs.gnu.org (full text, mbox):

From: Mattias Engdegård <mattiase <at> acm.org>
To: Bruno Haible <bruno <at> clisp.org>
Cc: 62039-done <at> debbugs.gnu.org
Subject: Re: bug#62039: Emacs crashes while parsing a long Emacs Lisp string
Date: Sat, 11 Mar 2023 10:25:34 +0100
Now fixed on master. Thanks again for the report.





bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 08 Apr 2023 11:24:07 GMT) Full text and rfc822 format available.

This bug report was last modified 355 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.