[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#63063: CVE-2021-36699 report
From: |
Po Lu |
Subject: |
bug#63063: CVE-2021-36699 report |
Date: |
Tue, 25 Apr 2023 16:38:19 +0800 |
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Eli Zaretskii <eliz@gnu.org> writes:
>> From: Po Lu <luangruo@yahoo.com>
>> Cc: fuomag9 <fuo@fuo.fi>, 63063@debbugs.gnu.org
>> Date: Tue, 25 Apr 2023 15:24:31 +0800
>>
>> Eli Zaretskii <eliz@gnu.org> writes:
>>
>> > Please tell more about the buffer overflow: where does it happen in
>> > the Emacs sources, which buffer overflows, and why. I cannot find
>> > these details in your report.
>>
>> It happens because the dump file is deliberately edited to be invalid.
>
> I didn't ask about the root cause, I asked about the details of the
> problem: where it happens in our sources, and what exactly happens.
The protection fault is in `dump_do_emacs_relocation'. When the dump
file contains a relocation with an offset outside the heap:
lv = make_lisp_ptr (obj_ptr, reloc.length);
memcpy (emacs_ptr_at (reloc.emacs_offset), &lv, sizeof (lv));
will end up copying outside the heap.
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
- bug#63063: CVE-2021-36699 report, Po Lu, 2023/04/25
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
- bug#63063: CVE-2021-36699 report,
Po Lu <=
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
- bug#63063: CVE-2021-36699 report, Po Lu, 2023/04/25
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
- bug#63063: CVE-2021-36699 report, Po Lu, 2023/04/25
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
- bug#63063: CVE-2021-36699 report, Po Lu, 2023/04/25
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
- bug#63063: CVE-2021-36699 report, Po Lu, 2023/04/25
- bug#63063: CVE-2021-36699 report, lux, 2023/04/25
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25