Re: man double free

Thu, 11 Jun 2020 09:12:26 -0700 

Yes, thank you.
I suggest only to have a look into better measures of security by researching optimization flags, to find an equilibrium of optimization and security. 

But I said to forget it because it was hard to explain.

On 2020-06-11 18:06, Theo de Raadt wrote:

Otto Moerbeek <o...@drijf.net> wrote:


On Thu, Jun 11, 2020 at 05:15:28PM +0200, Romero Pérez, Abel wrote:




On 2020-06-11 17:07, Otto Moerbeek wrote:

On Thu, Jun 11, 2020 at 04:53:25PM +0200, Romero Pérez, Abel wrote:




On 2020-06-11 16:45, Klemens Nanni wrote:

On Thu, Jun 11, 2020 at 03:59:09PM +0200, Otto Moerbeek wrote:

This already trips the bug;

        man -T html -c pfctl id

No need for a custom man function. No clue yet why.

This is in mandoc's HTML parser, but only happens for multiple manuals
in html.c:html_reset_internal():

164             while ((tag = h->tag) != NULL) {
165                     h->tag = tag->next;
166                     free(tag);
167             }

Note that it crashes differently depending on the optimization level:

        $ cd /usr/src/usr.bin/mandoc
        $ make DEBUG=-O0
        $ ./obj/mandoc -Thtml `man -w id cat` >/dev/null ; echo $?
        0

        $ make DEBUG=-O1
        $ ./obj/mandoc -Thtml `man -w id cat` >/dev/null
        Segmentation fault (core dumped)

        $ make DEBUG=-O2
        $ ./obj/mandoc -Thtml `man -w id cat` >/dev/null
        mandoc(32092) in free(): bogus pointer (double free?) 0x6641bab613b
        Abort trap (core dumped)

Need to run now, but wanted to share what seems to be the right direction.


Compile with -O0 to fix temporally the bug.
But, I also want to note that a binary is not need to be specified, can be a
just a file... (as second man entry).



This fixes it for me,

        -Otto

Index: main.c
===================================================================
RCS file: /cvs/src/usr.bin/mandoc/main.c,v
retrieving revision 1.247
diff -u -p -r1.247 main.c
--- main.c      24 Feb 2020 21:15:05 -0000      1.247
+++ main.c      11 Jun 2020 15:06:43 -0000
@@ -872,7 +872,7 @@ parse(struct mparse *mp, int fd, const c
        if (outst->outdata == NULL)
                outdata_alloc(outst, outconf);
        else if (outst->outtype == OUTT_HTML)
-               html_reset(outst);
+               html_reset(outst->outdata);
        mandoc_xr_reset();
        meta = mparse_result(mp);


Only one comment, don't use -O0 flag as optimization (disabled) to hunt more
bugs of this kind.


I have no clue what you mean by above sentence. If code has a bug,
optmization level might cause the bug to be hidden or exposed; it can
work both ways.


The person who didn't fix the bug is giving you advice about fixing the bug.

























					Reply via email to