[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#71694: 30.0.50; heap-use-after-free in tty_defined_color
|
From: |
Daniel Clemente |
|
Subject: |
bug#71694: 30.0.50; heap-use-after-free in tty_defined_color |
|
Date: |
Fri, 21 Jun 2024 10:47:01 +0000 |
I enabled -fsanitize. I'm using an X terminal to run TTY Emacs inside.
I opened the daemon inside gdb with emacs --fg-daemon -Q
I don't remember what exactly I was doing here, but it only involved
slowly opening 2 or 3 terminals like this
urxvt -e "emacsclient" "-c" "-e" '(dired "~")'
and then I might have opened 2 or 3 with this (in the same session)
xterm -e "emacsclient" "-c" "-e" '(dired "~")'
Plus switching between them and closing them.
However that's not a reproduction formula, it's just what I was doing
when this crash randomly happened. I don't know how to reproduce this
yet.
=================================================================
==9677==ERROR: AddressSanitizer: heap-use-after-free on address
0x625000123b30 at pc 0x55555695b2c9 bp 0x7fffffff9900 sp
0x7fffffff98f8
READ of size 1 at 0x625000123b30 thread T0
#0 0x55555695b2c8 in tty_defined_color /w/emacs/src/xfaces.c:1115
#1 0x55555695c2fb in load_color2 /w/emacs/src/xfaces.c:1260
#2 0x55555695cd2e in load_color /w/emacs/src/xfaces.c:1323
#3 0x5555569785c5 in map_tty_color /w/emacs/src/xfaces.c:6517
#4 0x555556979fee in realize_tty_face /w/emacs/src/xfaces.c:6667
#5 0x555556977f41 in realize_face /w/emacs/src/xfaces.c:6069
#6 0x5555569778eb in realize_named_face /w/emacs/src/xfaces.c:6037
#7 0x555556975d9e in realize_basic_faces /w/emacs/src/xfaces.c:5829
#8 0x5555569589fc in init_frame_faces /w/emacs/src/xfaces.c:660
#9 0x5555564f74e7 in make_terminal_frame /w/emacs/src/frame.c:1305
#10 0x5555564f8bc2 in Fmake_terminal_frame /w/emacs/src/frame.c:1418
#11 0x555556cc87a9 in funcall_subr /w/emacs/src/eval.c:3161
#12 0x555556dd758c in exec_byte_code /w/emacs/src/bytecode.c:812
#13 0x555556ccab01 in funcall_lambda /w/emacs/src/eval.c:3252
#14 0x555556cc7225 in funcall_general /w/emacs/src/eval.c:3044
#15 0x555556cc7b28 in Ffuncall /w/emacs/src/eval.c:3093
#16 0x555556cc4f90 in Fapply /w/emacs/src/eval.c:2722
#17 0x555556cc9e6c in funcall_subr /w/emacs/src/eval.c:3184
#18 0x555556dd758c in exec_byte_code /w/emacs/src/bytecode.c:812
#19 0x555556ccab01 in funcall_lambda /w/emacs/src/eval.c:3252
#20 0x555556cc7225 in funcall_general /w/emacs/src/eval.c:3044
#21 0x555556cc7b28 in Ffuncall /w/emacs/src/eval.c:3093
#22 0x7ffff1a3c67d in
F7365727665722d2d6372656174652d6672616d65_server__create_frame_0
(/home/dc/.emacs.d/eln-cache/30.0.50-27e3aa0e/server-0cc44189-5a0bf11b.eln+0x867d)
#23 0x555556cc8b10 in funcall_subr /w/emacs/src/eval.c:3165
#24 0x555556cc71d9 in funcall_general /w/emacs/src/eval.c:3040
#25 0x555556cc7b28 in Ffuncall /w/emacs/src/eval.c:3093
#26 0x7ffff1a3bfa3 in
F7365727665722d6372656174652d7474792d6672616d65_server_create_tty_frame_0
(/home/dc/.emacs.d/eln-cache/30.0.50-27e3aa0e/server-0cc44189-5a0bf11b.eln+0x7fa3)
#27 0x555556cc8d92 in funcall_subr /w/emacs/src/eval.c:3167
#28 0x555556cc71d9 in funcall_general /w/emacs/src/eval.c:3040
#29 0x555556cc7b28 in Ffuncall /w/emacs/src/eval.c:3093
#30 0x7ffff1a3ea2a in
F7365727665722d2d70726f636573732d66696c7465722d31_server__process_filter_1_0
(/home/dc/.emacs.d/eln-cache/30.0.50-27e3aa0e/server-0cc44189-5a0bf11b.eln+0xaa2a)
#31 0x555556cc891c in funcall_subr /w/emacs/src/eval.c:3163
#32 0x555556cc71d9 in funcall_general /w/emacs/src/eval.c:3040
#33 0x555556cc7b28 in Ffuncall /w/emacs/src/eval.c:3093
#34 0x7ffff1a3ce38 in
F7365727665722d2d70726f636573732d66696c7465722d616c6c2d70656e64696e67_server__process_filter_all_pending_0
(/home/dc/.emacs.d/eln-cache/30.0.50-27e3aa0e/server-0cc44189-5a0bf11b.eln+0x8e38)
#35 0x555556cc86b7 in funcall_subr /w/emacs/src/eval.c:3159
#36 0x555556cc71d9 in funcall_general /w/emacs/src/eval.c:3040
#37 0x555556cc7b28 in Ffuncall /w/emacs/src/eval.c:3093
#38 0x7ffff1a3ccdd in
F7365727665722d70726f636573732d66696c746572_server_process_filter_0
(/home/dc/.emacs.d/eln-cache/30.0.50-27e3aa0e/server-0cc44189-5a0bf11b.eln+0x8cdd)
#39 0x555556cc891c in funcall_subr /w/emacs/src/eval.c:3163
#40 0x555556cc71d9 in funcall_general /w/emacs/src/eval.c:3040
#41 0x555556cc7b28 in Ffuncall /w/emacs/src/eval.c:3093
#42 0x555556cc5c9e in Fapply /w/emacs/src/eval.c:2765
#43 0x555556cc6c51 in apply1 /w/emacs/src/eval.c:2981
#44 0x555556e4a446 in read_process_output_call /w/emacs/src/process.c:6129
#45 0x555556cbbbd1 in internal_condition_case_1 /w/emacs/src/eval.c:1637
#46 0x555556e50edb in read_and_dispose_of_process_output
/w/emacs/src/process.c:6493
#47 0x555556e4c115 in read_process_output /w/emacs/src/process.c:6266
#48 0x555556e48808 in wait_reading_process_output
/w/emacs/src/process.c:5947
#49 0x5555564e2901 in sit_for /w/emacs/src/dispnew.c:6335
#50 0x5555569acaac in read_char /w/emacs/src/keyboard.c:2923
#51 0x5555569e9ca1 in read_key_sequence /w/emacs/src/keyboard.c:10728
#52 0x55555699b121 in command_loop_1 /w/emacs/src/keyboard.c:1429
#53 0x555556cbb677 in internal_condition_case /w/emacs/src/eval.c:1613
#54 0x555556999796 in command_loop_2 /w/emacs/src/keyboard.c:1168
#55 0x555556cb84d7 in internal_catch /w/emacs/src/eval.c:1292
#56 0x555556999699 in command_loop /w/emacs/src/keyboard.c:1146
#57 0x555556996e79 in recursive_edit_1 /w/emacs/src/keyboard.c:754
#58 0x555556997530 in Frecursive_edit /w/emacs/src/keyboard.c:837
#59 0x555556989056 in main /w/emacs/src/emacs.c:2629
#60 0x7ffff4e46249 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#61 0x7ffff4e46304 in __libc_start_main_impl ../csu/libc-start.c:360
#62 0x5555563a7150 in _start (/opt/dc/emacs/bin/emacs-30.0.50+0xe53150)
0x625000123b30 is located 6704 bytes inside of 8184-byte region
[0x625000122100,0x6250001240f8)
freed by thread T0 here:
#0 0x555556439c98 in __interceptor_free.part.0
(/opt/dc/emacs/bin/emacs-30.0.50+0xee5c98)
#1 0x555556bdbcf6 in lisp_free /w/emacs/src/alloc.c:1059
#2 0x555556be0c60 in compact_small_strings /w/emacs/src/alloc.c:2311
#3 0x555556be0156 in sweep_strings /w/emacs/src/alloc.c:2191
#4 0x555556c03f47 in gc_sweep /w/emacs/src/alloc.c:7871
#5 0x555556bfa985 in garbage_collect /w/emacs/src/alloc.c:6674
#6 0x555556bf9be5 in maybe_garbage_collect /w/emacs/src/alloc.c:6507
#7 0x555556caef99 in maybe_gc /w/emacs/src/lisp.h:5927
#8 0x555556cc79de in Ffuncall /w/emacs/src/eval.c:3088
#9 0x55555695a86a in tty_lookup_color /w/emacs/src/xfaces.c:1050
#10 0x55555695b21c in tty_defined_color /w/emacs/src/xfaces.c:1113
#11 0x55555695c2fb in load_color2 /w/emacs/src/xfaces.c:1260
#12 0x55555695cd2e in load_color /w/emacs/src/xfaces.c:1323
#13 0x5555569785c5 in map_tty_color /w/emacs/src/xfaces.c:6517
#14 0x555556979fee in realize_tty_face /w/emacs/src/xfaces.c:6667
#15 0x555556977f41 in realize_face /w/emacs/src/xfaces.c:6069
#16 0x5555569778eb in realize_named_face /w/emacs/src/xfaces.c:6037
#17 0x555556975d9e in realize_basic_faces /w/emacs/src/xfaces.c:5829
#18 0x5555569589fc in init_frame_faces /w/emacs/src/xfaces.c:660
#19 0x5555564f74e7 in make_terminal_frame /w/emacs/src/frame.c:1305
#20 0x5555564f8bc2 in Fmake_terminal_frame /w/emacs/src/frame.c:1418
#21 0x555556cc87a9 in funcall_subr /w/emacs/src/eval.c:3161
#22 0x555556dd758c in exec_byte_code /w/emacs/src/bytecode.c:812
#23 0x555556ccab01 in funcall_lambda /w/emacs/src/eval.c:3252
#24 0x555556cc7225 in funcall_general /w/emacs/src/eval.c:3044
#25 0x555556cc7b28 in Ffuncall /w/emacs/src/eval.c:3093
#26 0x555556cc4f90 in Fapply /w/emacs/src/eval.c:2722
#27 0x555556cc9e6c in funcall_subr /w/emacs/src/eval.c:3184
#28 0x555556dd758c in exec_byte_code /w/emacs/src/bytecode.c:812
#29 0x555556ccab01 in funcall_lambda /w/emacs/src/eval.c:3252
previously allocated by thread T0 here:
#0 0x55555643afbf in malloc (/opt/dc/emacs/bin/emacs-30.0.50+0xee6fbf)
#1 0x555556bdd46c in lmalloc /w/emacs/src/alloc.c:1402
#2 0x555556bdbbc5 in lisp_malloc /w/emacs/src/alloc.c:1015
#3 0x555556bde814 in allocate_string_data /w/emacs/src/alloc.c:1989
#4 0x555556be226d in make_clear_multibyte_string /w/emacs/src/alloc.c:2595
#5 0x555556be2026 in make_clear_string /w/emacs/src/alloc.c:2563
#6 0x555556be2163 in make_uninit_string /w/emacs/src/alloc.c:2574
#7 0x555556ce5c44 in concat_to_string /w/emacs/src/fns.c:932
#8 0x555556ce48b7 in Fconcat /w/emacs/src/fns.c:742
#9 0x555556cc9e6c in funcall_subr /w/emacs/src/eval.c:3184
#10 0x555556cc71d9 in funcall_general /w/emacs/src/eval.c:3040
#11 0x555556cc7b28 in Ffuncall /w/emacs/src/eval.c:3093
#12 0x555556cc4f90 in Fapply /w/emacs/src/eval.c:2722
#13 0x555556cc9e6c in funcall_subr /w/emacs/src/eval.c:3184
#14 0x555556dd758c in exec_byte_code /w/emacs/src/bytecode.c:812
#15 0x555556ccab01 in funcall_lambda /w/emacs/src/eval.c:3252
#16 0x555556cc7225 in funcall_general /w/emacs/src/eval.c:3044
#17 0x555556cc7b28 in Ffuncall /w/emacs/src/eval.c:3093
#18 0x7ffff1a38e9d in
F7365727665722d756e71756f74652d617267_server_unquote_arg_0
(/home/dc/.emacs.d/eln-cache/30.0.50-27e3aa0e/server-0cc44189-5a0bf11b.eln+0x4e9d)
#19 0x555556cc71d9 in funcall_general /w/emacs/src/eval.c:3040
#20 0x555556cc7b28 in Ffuncall /w/emacs/src/eval.c:3093
#21 0x555556cf8add in mapcar1 /w/emacs/src/fns.c:3346
#22 0x555556cfa0e3 in Fmapcar /w/emacs/src/fns.c:3466
#23 0x555556cc891c in funcall_subr /w/emacs/src/eval.c:3163
#24 0x555556cc71d9 in funcall_general /w/emacs/src/eval.c:3040
#25 0x555556cc7b28 in Ffuncall /w/emacs/src/eval.c:3093
#26 0x7ffff1a3d622 in
F7365727665722d2d70726f636573732d66696c7465722d31_server__process_filter_1_0
(/home/dc/.emacs.d/eln-cache/30.0.50-27e3aa0e/server-0cc44189-5a0bf11b.eln+0x9622)
#27 0x10e2f (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free
/w/emacs/src/xfaces.c:1115 in tty_defined_color
Shadow bytes around the buggy address:
0x0c4a8001c710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a8001c760: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c4a8001c770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c7a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c7b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==9677==ABORTING
[Inferior 1 (process 9677) exited with code 01]
(gdb)
In GNU Emacs 30.0.50 (build 14, x86_64-pc-linux-gnu) of 2024-06-14 built
on sonn
Repository revision: 5ecff95993d5edbffb27e14c2815d2b23003bcb4
Repository branch: master
System Description: Devuan GNU/Linux 5 (daedalus)
Configured using:
'configure --prefix=/opt/dc/emacs/ --without-dbus --with-tiff=no
--without-tiff --without-libsystemd --without-dbus --with-mailutils
--without-modules --with-native-compilation --with-x-toolkit=no
--without-imagemagick --without-xft --without-harfbuzz
--without-freetype --without-libotf --without-xwidgets --without-xpm
--without-jpeg --without-gif --without-png --without-webp
--without-rsvg --without-cairo --without-x --without-sound
--enable-checking=yes,glyphs --enable-profiling 'CFLAGS=-g3 -O0
-static-libasan
-fsanitize=undefined,address,bounds-strict,float-cast-overflow ''
Configured features:
GMP GNUTLS LCMS2 LIBSELINUX LIBXML2 NATIVE_COMP NOTIFY INOTIFY PDUMPER
SECCOMP SQLITE3 THREADS XIM ZLIB
Important settings:
value of $LANG: en_US.UTF-8
value of $XMODIFIERS: @im=SCIM
locale-coding-system: utf-8-unix
Major mode: Dired by name
Minor modes in effect:
server-mode: t
tooltip-mode: t
global-eldoc-mode: t
show-paren-mode: t
electric-indent-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
blink-cursor-mode: t
minibuffer-regexp-mode: t
buffer-read-only: t
line-number-mode: t
indent-tabs-mode: t
transient-mark-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
Load-path shadows:
None found.
Features:
(shadow sort hashcash mail-extr compile comint ansi-osc ansi-color ring
tool-bar comp-run comp-common rx emacsbug message mailcap yank-media
puny rfc822 mml mml-sec password-cache epa derived epg rfc6068
epg-config gnus-util text-property-search time-date subr-x mm-decode
mm-bodies mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader
sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils pp
dired-aux cl-loaddefs cl-lib regexp-opt dired dnd dired-loaddefs
term/rxvt term/xterm xterm byte-opt gv bytecomp byte-compile server rmc
iso-transl tooltip cconv eldoc paren electric uniquify ediff-hook
vc-hooks lisp-float-type elisp-mode tabulated-list replace newcomment
text-mode lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow
isearch easymenu timer select mouse jit-lock font-lock syntax font-core
term/tty-colors frame minibuffer nadvice seq simple cl-generic
indonesian philippine cham georgian utf-8-lang misc-lang vietnamese
tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek
romanian slovak czech european ethiopic indian cyrillic chinese
composite emoji-zwj charscript charprop case-table epa-hook
jka-cmpr-hook help abbrev obarray oclosure cl-preloaded button loaddefs
theme-loaddefs faces cus-face macroexp files window text-properties
overlay sha1 md5 base64 format env code-pages mule custom widget keymap
hashtable-print-readable backquote threads inotify lcms2 multi-tty
make-network-process native-compile emacs)
Memory information:
((conses 16 79584 11221) (symbols 48 7260 1) (strings 32 19579 4136)
(string-bytes 1 555627) (vectors 16 9521)
(vector-slots 8 101397 9175) (floats 8 33 8255)
(intervals 56 2255 14) (buffers 984 14))
- bug#71694: 30.0.50; heap-use-after-free in tty_defined_color,
Daniel Clemente <=