bug#42530: 28.0.50; Integer overflows in alloc.c on macOS

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

bug#42530: 28.0.50; Integer overflows in alloc.c on macOS

Philipp Stephani

-fsanitize=undefined finds the following integer overflows in alloc.c:

alloc.c:4641:33: runtime error: addition of unsigned offset to 0x000102496c05 overflowed to 0x000102496c00
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4641:33 in
alloc.c:4852:9: runtime error: pointer index expression with base 0xffffffffffffffff overflowed to 0x00010344053f
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4852:9 in

I briefly checked the code, but couldn't find anything obviously wrong.
Note that UBSan also checks for unsigned integer overflows, which are
technically not undefined, but might still be fishy.  If these overflows
are intended, we should probably use INT_ADD_WRAPV to make that clear
and suppress the sanitizer.


In GNU Emacs 28.0.50 (build 66, x86_64-apple-darwin19.5.0, NS appkit-1894.50 Version 10.15.5 (Build 19F101))
 of 2020-07-25
Repository revision: 3b44829823f43d3736b8ec9db2258eeff7f6c16a
Repository branch: master
Windowing system distributor 'Apple', version 10.3.1894
System Description:  Mac OS X 10.15.5

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.

Configured using:
 'configure --with-modules --without-xml2 --without-pop --with-mailutils
 --enable-gcc-warnings=warn-only --enable-checking=all
 --enable-check-lisp-object-type 'CFLAGS=-g3 -O1 -fsanitize=address
 -fsanitize=undefined -fno-omit-frame-pointer''

Configured features:
JPEG TIFF GIF PNG NOTIFY KQUEUE ACL GNUTLS ZLIB TOOLKIT_SCROLL_BARS NS
MODULES THREADS JSON PDUMPER LCMS2

Important settings:
  value of $LANG: de_DE.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message rmc dired dired-loaddefs rfc822
mml easymenu mml-sec epa epg epg-config gnus-util rmail rmail-loaddefs
text-property-search time-date mm-decode mm-bodies mm-encode mail-parse
rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047 rfc2045
ietf-drums mm-util mail-prsvr mail-utils phst skeleton derived edmacro
kmacro pcase ffap thingatpt url url-proxy url-privacy url-expand
url-methods url-history url-cookie url-domsuf url-util url-parse
auth-source cl-seq eieio eieio-core cl-macs eieio-loaddefs
password-cache json map url-vars mailcap subr-x rx gnutls puny seq
byte-opt gv bytecomp byte-compile cconv dbus xml compile comint
ansi-color ring cl-loaddefs cl-lib tooltip eldoc electric uniquify
ediff-hook vc-hooks lisp-float-type mwheel term/ns-win ns-win
ucs-normalize mule-util term/common-win tool-bar dnd fontset image
regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode
lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow isearch
timer select scroll-bar mouse jit-lock font-lock syntax facemenu
font-core term/tty-colors frame minibuffer cl-generic cham georgian
utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean
japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european
ethiopic indian cyrillic chinese composite charscript charprop
case-table epa-hook jka-cmpr-hook help simple abbrev obarray
cl-preloaded nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote threads kqueue cocoa ns
lcms2 multi-tty make-network-process emacs)

Memory information:
((conses 16 69705 5415)
 (symbols 48 8650 1)
 (strings 32 23527 1769)
 (string-bytes 1 768093)
 (vectors 16 14130)
 (vector-slots 8 172256 4253)
 (floats 8 25 30)
 (intervals 56 210 0)
 (buffers 992 10))



Reply | Threaded
Open this post in threaded view
|

bug#42530: 28.0.50; Integer overflows in alloc.c on macOS

Lars Ingebrigtsen
Philipp <[hidden email]> writes:

> -fsanitize=undefined finds the following integer overflows in alloc.c:
>
> alloc.c:4641:33: runtime error: addition of unsigned offset to 0x000102496c05 overflowed to 0x000102496c00
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4641:33 in
> alloc.c:4852:9: runtime error: pointer index expression with base 0xffffffffffffffff overflowed to 0x00010344053f
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4852:9 in

How do you reproduce this?  I tried

./configure CFLAGS='-g3 -O1 -fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer' --with-modules --without-xml2 --without-pop --with-mailutils --enable-gcc-warnings=warn-only --enable-checking=all --enable-check-lisp-object-type

and then started Emacs (on Catalina), but didn't get any errors as far
as I can see.

--
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no



Reply | Threaded
Open this post in threaded view
|

bug#42530: 28.0.50; Integer overflows in alloc.c on macOS

Philipp Stephani
Am Sa., 17. Okt. 2020 um 11:06 Uhr schrieb Lars Ingebrigtsen <[hidden email]>:

>
> Philipp <[hidden email]> writes:
>
> > -fsanitize=undefined finds the following integer overflows in alloc.c:
> >
> > alloc.c:4641:33: runtime error: addition of unsigned offset to 0x000102496c05 overflowed to 0x000102496c00
> > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4641:33 in
> > alloc.c:4852:9: runtime error: pointer index expression with base 0xffffffffffffffff overflowed to 0x00010344053f
> > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior alloc.c:4852:9 in
>
> How do you reproduce this?  I tried
>
> ./configure CFLAGS='-g3 -O1 -fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer' --with-modules --without-xml2 --without-pop --with-mailutils --enable-gcc-warnings=warn-only --enable-checking=all --enable-check-lisp-object-type
>
> and then started Emacs (on Catalina), but didn't get any errors as far
> as I can see.

According to 'git bisect' this was fixed by

commit 069b58b7c852b59f8ef7642e21db339626045671
Author: Philipp Stephani <[hidden email]>
Date:   Sun Aug 2 12:58:44 2020 +0200

    * src/alloc.c (mark_memory): Avoid signed integer overflow

 src/alloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

and probably other commits around that time.



Reply | Threaded
Open this post in threaded view
|

bug#42530: 28.0.50; Integer overflows in alloc.c on macOS

Lars Ingebrigtsen
Philipp Stephani <[hidden email]> writes:

> According to 'git bisect' this was fixed by
>
> commit 069b58b7c852b59f8ef7642e21db339626045671
> Author: Philipp Stephani <[hidden email]>
> Date:   Sun Aug 2 12:58:44 2020 +0200
>
>     * src/alloc.c (mark_memory): Avoid signed integer overflow
>
>  src/alloc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> and probably other commits around that time.

Thanks; I'm closing this bug report, then.

--
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no