[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Patch request: Fix a macro expansion segfault from unchecked overflo
Re: Patch request: Fix a macro expansion segfault from unchecked overflow.
Fri, 8 Jul 2022 23:16:24 -0600
Happy to contribute =)! And thanks for the review and feedback.
I attached a more complete patch for this bug. It applies to ‘branch-1.4’.
On Fri, Jun 24, 2022 at 10:29:02PM -0600, Byron Johnson wrote:
> I've attached to this email a patch that fixes a segfault from
> ‘expand_user_macro’ so that integer overflows don't bypass the bounds
> check. It applies to ‘branch-1.4’.
Thanks for catching a lurking bug! The patch is not quite correct: by
using unsigned, you have avoided the overflow to negative that
triggered an out-of-bounds memory reference, but you did not prevent
overflow where a macro definition of `$4294967297' is identical to a
macro definition of `$1' whether or not your patch is applied. Better
is to treat all cases of integer overflow as being larger than argc,
and expand to an empty string, rather than having aliased expansions
to earlier argument numbers, but that requires more than one line of
code to do properly.
> From 1807c3bfca8ecb761f46be149dc3cb1ea2b041d2 Mon Sep 17 00:00:00 2001
> From: Byron Johnson <firstname.lastname@example.org>
> Date: Fri, 24 Jun 2022 21:59:35 -0600
> Subject: [PATCH] Fix a macro expansion segfault from unchecked overflow.
> This example reproduces the bug on 1.4 m4's before this fix:
> % ~/local/m4/1.4/bin/m4 <<< 'define(`mac'\'', $2028558489387014291456) mac'
> /home/bairyn/local/m4/1.4/bin/m4: internal error detected; please report this bug to <email@example.com>: Segmentation fault
That bug is ANCIENT! It is still present in commit bd11691d (ie, the
very first git commit matching the release of 1.4 in Nov 1994); I have
no access to sources specific to earlier release versions to know when
the GNU extension of supporting $10 as the tenth parameter (rather
than the first parameter concatenated with literal 0) was actually
introduced, but that appears to be where the bug was introduced -
perhaps as far back as release 0.50 in Jan 1990.
Not every day you get to find and fix a bug that old!
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
Description: Text Data