Re: Patching Mandoc for IRIX

[Ingo Schwarze <schwarze@usta.de>]

Hi Kazuo,

oh no, this thread got buried under other matters *again*.
This is getting really embarassing...  :-(

Kazuo Kuroi wrote on Mon, Jun 22, 2020 at 06:09:09PM -0400:

> IRIX is not free/open source, and we do not have access
> to the IRIX libc to change the printf() implementation.

Now i'm somewhat confused - how do you diagnose and fix security
vulnerabilities in libc in that case?  The system is no longer
maintained by the original vendor, right?

> I've considered adding an external override printf() replacement
> to my library I use to improve portability (libxg)

Yes.  My general philosophy is to write code according to current
standards, and if an older system lacks some function, provide
a replacement function if that can be done without undue effort.
I do not want to pollute the portable code with wrapper functions
or #ifdefs or even macro expansion.

Unfortunately, writing a portability wrapper for printf(3) that
modifies the format string to change %zu into whatever is appropriate
for the current platform is tricky and potentially dangerous, so
maybe it is better that you manually maintain patches for that,
unless or until we have a better idea.

> but let me quote a dev on my forums on the topic:
> 
> "The "%zun" format specifier to the printf family of functions is 
> problematic for us.  Newer libc implementations (GNU, BSD, ...) use the 
> "z" character as a length modifier to indicate the following "u" 
> argument is of type size_t.  IRIX libc doesn't support the "z" length 
> modifier at all.  So that's got to go, for starters.  I'm assuming 
> you're compiling as N32 code, so an unmodified "%u" should suffice since 
> size_t is defined as an unsigned int in /usr/include/sys/types.h.  (Use 
> %lu for 64-bit code where size_t is an unsigned long instead.  Which 
> clearly shows why the z modifier is needed for portable code!)

So far, i see what the problem is here.

Apart from the fact that fixing this in compat_* code would be tricky
and would be needed for few platforms (IRIX the only one known so far),
the detection is also tricky.  Besically, the test_* code would have
to compare sizeof(size_t) to native types like sizeof(unsigned)
and sizeof(unsigned long) and sizeof(unsigned long long) to make
the decision.  That's all somewhat ugly...

> Also, the trailing "n" is potentially problematic.  I'm not 100% sure, 
> but I think the code is intended to print a size_t followed by a literal 
> "n".

Correct.

> But IRIX libc seems to be interpreting it as the "n" "conversion 
> character" which requests the printf family of functions to put the 
> length of the printed string into a variable.

That sounds like a very dangerous security vulnerability in IRIX
libc.  The "%n" conversion specifier is supposed to cause writing
into a variable, and even that is rather risky even when implemented
and used correctly, but the literal letter "n" is absolutely not
supposed to do any such thing.  Also, each conversion specification
ends with the conversion specifier letter, in this case the 'u',
so whatever follows the 'u' is no longer part of the conversion
specification but just literal text.

You really need to get that bug fixed.  I sounds extremely dangerous
and and i can think of no way to work around it.  It is likely to
have dire consequences in any software you compile.

> In this case, the trailing n didn't cause any issues. I understand for 
> portability reasons you wouldn't want to change it, and that's totally 
> understandable.

Indeed, printing the literal 'n' right after the number is required,
roff(7) syntax dictates that it must be there.  Doing it in some
different way would cause substantial complication of the code,
and i don't think working around such a serious libc bug would be
reasonable.

> One way you could accommodate IRIX would be to use the 
> __sgi definition in configure,

I strongly dislike testing for platform IDs or version numbers in
autoconfiguration; it's fragile, never complete, and easily gets
outdated when platforms improve, which most platforms do all the
time.  Besides, the OpenBSD mips64 port also defines __sgi__, so
it idenfifies the CPU architecture rather than the operating system.
I guess NetBSD is likely to do even more of that kind because NetBSD
is famous for its wide range of hardware support.

> and then you could use perl or sed to 
> change the code, or you could throw a warning out in configure regarding 
> %zu in the code and we could work out a more conservative patch that 
> fixes just the %zu for those who stumble upon this. This mostly affects 
> the makewhatis commands, the actual mandoc binary appears to work fine.

I doubt that all else works fine without %zu.  That sequence is used
for

 * reporting of configuration errors in manpath.c
 * ctags(1) support for terminal output in term_tag.c
 * abstract syntax tree dumping in tree.c
 * PostScript and PDF generation in term_ps.c
 * mdoc(7) syntax validation in mdoc_validate.c

All that is potentially broken unless correctly patched.

> I would think that some other platforms like older AIX, Solaris, HP-UX 
> etc. may have this issue too, but I've not worked on those extensively.

F
Solaris 11 and Solaris 10 are definitely fine.  Solaris 9 is now
so old that i'm not very diligent about supporting it any longer.
There was a mandoc port for AIX many years ago, and people have
occasionally done light testing on AIX in recent years, but no
such issue came up.  I'm not aware that anyone ever tested on HP-UX,
that system doesn't appear to be used a lot.

> On your question of whether or not we have ports or anything, not 
> currently.

No problem, so i'll just link to these build instructions:

> I usually, for now, keep patches and references in "Xenopatches" here:
> http://gitea.irixce.org/Raion/Xenopatches/src/branch/master/mandoc
> 
> So pragmatically, once I figure out how to get it all together, you can 
> link here and I'll include a build instructions file. Once Nekoware II 
> is packaging tardists again, you can link back to nekoware II's homepage.

Thanks for your information about Nekoware II.

For now, i have added links to ports.html and porthistory.html
as shown below.  Speak up if you think there is a better way.

Yours,
  Ingo


Index: porthistory.html
===================================================================
RCS file: /home/cvs/mandoc/www/porthistory.html,v
retrieving revision 1.52
diff -u -r1.52 porthistory.html
--- porthistory.html	4 Mar 2020 03:19:07 -0000	1.52
+++ porthistory.html	27 Aug 2020 17:58:28 -0000
@@ -36,6 +36,7 @@
   illumos (<a href="https://github.com/illumos/illumos-gate/commit/cec8643b41ebefad6c677010fc784dc4bb0550f3#diff-46d91f95b4440f9432e65c9b3e674271">2019 May 30</a>, Michal Nowak)
   Alpine Linux (<a href="https://git.alpinelinux.org/cgit/aports/commit?id=a33e421da04f54e4a9398da416982720bbae84eb">2019 Aug 25</a>)
   Fedora (<a href="https://src.fedoraproject.org/rpms/mandoc/c/8e2f011858c0b699122ad5ceec4afba9564a5c4c">2019 Oct 16</a>, David Cantrell)
+  <strong>IRIX</strong> Nekoware II (<a href="http://gitea.irixce.org/Raion/Xenopatches/commit/f29efd3d02b4d336f1d2ab6682e51ca52ee636ee">2020 June 2</a>, Kazuo Kuroi)
   </li>
 <li>1.14.4 (<a href="/cgi-bin/cvsweb/NEWS#rev1.32">2018 Aug 8</a>):
   Void Linux (<a href="https://github.com/void-linux/void-packages/commit/9a366969487696e4d8743cd198fef084924814b4">2018 Aug 8</a>, Leah Neukirchen)
Index: ports.html
===================================================================
RCS file: /home/cvs/mandoc/www/ports.html,v
retrieving revision 1.78
diff -u -r1.78 ports.html
--- ports.html	4 Mar 2020 03:20:27 -0000	1.78
+++ ports.html	27 Aug 2020 17:54:42 -0000
@@ -245,6 +245,17 @@
     <td>&mdash;</td>
   </tr>
   <tr>
+    <td><a class="external" href="https://irixnet.org/">IRIX</a></td>
+    <td>1.14.5</td>
+    <td>&mdash;</td>
+    <td>&mdash;</td>
+    <td>2020 June 2</td>
+    <td>&mdash;</td>
+    <td>&mdash;</td>
+    <td>&mdash;</td>
+    <td>&mdash;</td>
+  </tr>
+  <tr>
     <td><a class="external" href="https://crux.nu/">Crux Linux</a></td>
     <td>1.14.3</td>
     <td>&mdash;</td>
@@ -559,6 +569,15 @@
       >macports/mandoc</a></td>
     <td>dito</td>
     <td>&mdash;</td>
+  </tr>
+  <tr>
+    <td><a class="external" href="https://irixnet.org/">IRIX</a></td>
+    <td><a class="external"
+      href="http://gitea.irixce.org/Raion/Xenopatches/commits/branch/master/mandoc"
+      >Xenopatches/mandoc</a></td>
+    <td>work in progress</td>
+    <td><a class="external" href="http://gitea.irixce.org/Raion"
+      >Kazuo Kuroi</a>, Nekoware II</td>
   </tr>
   <tr>
     <td><a class="external" href="https://crux.nu/">Crux Linux</a></td>
--
 To unsubscribe send an email to discuss+unsubscribe@mandoc.bsd.lv