Yes, thank you.
I suggest only to have a look into better measures of security by
researching optimization flags, to find an equilibrium of optimization
and security.
But I said to forget it because it was hard to explain.
On 2020-06-11 18:06, Theo de Raadt wrote:
Otto Moerbeek <o...@drijf.net> wrote:
On Thu, Jun 11, 2020 at 05:15:28PM +0200, Romero Pérez, Abel wrote:
On 2020-06-11 17:07, Otto Moerbeek wrote:
On Thu, Jun 11, 2020 at 04:53:25PM +0200, Romero Pérez, Abel wrote:
On 2020-06-11 16:45, Klemens Nanni wrote:
On Thu, Jun 11, 2020 at 03:59:09PM +0200, Otto Moerbeek wrote:
This already trips the bug;
man -T html -c pfctl id
No need for a custom man function. No clue yet why.
This is in mandoc's HTML parser, but only happens for multiple manuals
in html.c:html_reset_internal():
164 while ((tag = h->tag) != NULL) {
165 h->tag = tag->next;
166 free(tag);
167 }
Note that it crashes differently depending on the optimization level:
$ cd /usr/src/usr.bin/mandoc
$ make DEBUG=-O0
$ ./obj/mandoc -Thtml `man -w id cat` >/dev/null ; echo $?
0
$ make DEBUG=-O1
$ ./obj/mandoc -Thtml `man -w id cat` >/dev/null
Segmentation fault (core dumped)
$ make DEBUG=-O2
$ ./obj/mandoc -Thtml `man -w id cat` >/dev/null
mandoc(32092) in free(): bogus pointer (double free?) 0x6641bab613b
Abort trap (core dumped)
Need to run now, but wanted to share what seems to be the right direction.
Compile with -O0 to fix temporally the bug.
But, I also want to note that a binary is not need to be specified, can be a
just a file... (as second man entry).
This fixes it for me,
-Otto
Index: main.c
===================================================================
RCS file: /cvs/src/usr.bin/mandoc/main.c,v
retrieving revision 1.247
diff -u -p -r1.247 main.c
--- main.c 24 Feb 2020 21:15:05 -0000 1.247
+++ main.c 11 Jun 2020 15:06:43 -0000
@@ -872,7 +872,7 @@ parse(struct mparse *mp, int fd, const c
if (outst->outdata == NULL)
outdata_alloc(outst, outconf);
else if (outst->outtype == OUTT_HTML)
- html_reset(outst);
+ html_reset(outst->outdata);
mandoc_xr_reset();
meta = mparse_result(mp);
Only one comment, don't use -O0 flag as optimization (disabled) to hunt more
bugs of this kind.
I have no clue what you mean by above sentence. If code has a bug,
optmization level might cause the bug to be hidden or exposed; it can
work both ways.
The person who didn't fix the bug is giving you advice about fixing the bug.