From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 26067 invoked from network); 27 Aug 2020 18:09:32 -0000 Received: from bsd.lv (HELO mandoc.bsd.lv) (66.111.2.12) by inbox.vuxu.org with ESMTPUTF8; 27 Aug 2020 18:09:32 -0000 Received: from fantadrom.bsd.lv (localhost [127.0.0.1]) by mandoc.bsd.lv (OpenSMTPD) with ESMTP id 8a842a09 for ; Thu, 27 Aug 2020 13:09:29 -0500 (EST) Received: from scc-mailout-kit-01.scc.kit.edu (scc-mailout-kit-01.scc.kit.edu [129.13.231.81]) by mandoc.bsd.lv (OpenSMTPD) with ESMTP id 2627819c for ; Thu, 27 Aug 2020 13:09:28 -0500 (EST) Received: from hekate.asta.kit.edu ([141.3.145.153] helo=hekate.usta.de) by scc-mailout-kit-01.scc.kit.edu with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (envelope-from ) id 1kBML0-0002Us-6P; Thu, 27 Aug 2020 20:09:28 +0200 Received: from donnerwolke.asta.kit.edu ([141.3.145.61] helo=donnerwolke.usta.de) by hekate.usta.de with esmtp (Exim 4.92.2) (envelope-from ) id 1kBMKz-0008QM-2u; Thu, 27 Aug 2020 20:09:25 +0200 Received: from athene.asta.kit.edu ([141.3.145.60] helo=athene.usta.de) by donnerwolke.usta.de with esmtp (Exim 4.84_2) (envelope-from ) id 1kBMKy-0002WM-SE; Thu, 27 Aug 2020 20:09:24 +0200 Received: from localhost (athene.usta.de [local]) by athene.usta.de (OpenSMTPD) with ESMTPA id 37c8a163; Thu, 27 Aug 2020 20:09:24 +0200 (CEST) Date: Thu, 27 Aug 2020 20:09:24 +0200 From: Ingo Schwarze To: Kazuo Kuroi Cc: discuss@mandoc.bsd.lv Subject: Re: Patching Mandoc for IRIX Message-ID: <20200827180924.GG28751@athene.usta.de> References: <20200622214406.GD93760@athene.usta.de> X-Mailinglist: mandoc-discuss Reply-To: discuss@mandoc.bsd.lv MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.2 (2019-09-21) Hi Kazuo, oh no, this thread got buried under other matters *again*. This is getting really embarassing... :-( Kazuo Kuroi wrote on Mon, Jun 22, 2020 at 06:09:09PM -0400: > IRIX is not free/open source, and we do not have access > to the IRIX libc to change the printf() implementation. Now i'm somewhat confused - how do you diagnose and fix security vulnerabilities in libc in that case? The system is no longer maintained by the original vendor, right? > I've considered adding an external override printf() replacement > to my library I use to improve portability (libxg) Yes. My general philosophy is to write code according to current standards, and if an older system lacks some function, provide a replacement function if that can be done without undue effort. I do not want to pollute the portable code with wrapper functions or #ifdefs or even macro expansion. Unfortunately, writing a portability wrapper for printf(3) that modifies the format string to change %zu into whatever is appropriate for the current platform is tricky and potentially dangerous, so maybe it is better that you manually maintain patches for that, unless or until we have a better idea. > but let me quote a dev on my forums on the topic: > > "The "%zun" format specifier to the printf family of functions is > problematic for us. Newer libc implementations (GNU, BSD, ...) use the > "z" character as a length modifier to indicate the following "u" > argument is of type size_t. IRIX libc doesn't support the "z" length > modifier at all. So that's got to go, for starters. I'm assuming > you're compiling as N32 code, so an unmodified "%u" should suffice since > size_t is defined as an unsigned int in /usr/include/sys/types.h. (Use > %lu for 64-bit code where size_t is an unsigned long instead. Which > clearly shows why the z modifier is needed for portable code!) So far, i see what the problem is here. Apart from the fact that fixing this in compat_* code would be tricky and would be needed for few platforms (IRIX the only one known so far), the detection is also tricky. Besically, the test_* code would have to compare sizeof(size_t) to native types like sizeof(unsigned) and sizeof(unsigned long) and sizeof(unsigned long long) to make the decision. That's all somewhat ugly... > Also, the trailing "n" is potentially problematic. I'm not 100% sure, > but I think the code is intended to print a size_t followed by a literal > "n". Correct. > But IRIX libc seems to be interpreting it as the "n" "conversion > character" which requests the printf family of functions to put the > length of the printed string into a variable. That sounds like a very dangerous security vulnerability in IRIX libc. The "%n" conversion specifier is supposed to cause writing into a variable, and even that is rather risky even when implemented and used correctly, but the literal letter "n" is absolutely not supposed to do any such thing. Also, each conversion specification ends with the conversion specifier letter, in this case the 'u', so whatever follows the 'u' is no longer part of the conversion specification but just literal text. You really need to get that bug fixed. I sounds extremely dangerous and and i can think of no way to work around it. It is likely to have dire consequences in any software you compile. > In this case, the trailing n didn't cause any issues. I understand for > portability reasons you wouldn't want to change it, and that's totally > understandable. Indeed, printing the literal 'n' right after the number is required, roff(7) syntax dictates that it must be there. Doing it in some different way would cause substantial complication of the code, and i don't think working around such a serious libc bug would be reasonable. > One way you could accommodate IRIX would be to use the > __sgi definition in configure, I strongly dislike testing for platform IDs or version numbers in autoconfiguration; it's fragile, never complete, and easily gets outdated when platforms improve, which most platforms do all the time. Besides, the OpenBSD mips64 port also defines __sgi__, so it idenfifies the CPU architecture rather than the operating system. I guess NetBSD is likely to do even more of that kind because NetBSD is famous for its wide range of hardware support. > and then you could use perl or sed to > change the code, or you could throw a warning out in configure regarding > %zu in the code and we could work out a more conservative patch that > fixes just the %zu for those who stumble upon this. This mostly affects > the makewhatis commands, the actual mandoc binary appears to work fine. I doubt that all else works fine without %zu. That sequence is used for * reporting of configuration errors in manpath.c * ctags(1) support for terminal output in term_tag.c * abstract syntax tree dumping in tree.c * PostScript and PDF generation in term_ps.c * mdoc(7) syntax validation in mdoc_validate.c All that is potentially broken unless correctly patched. > I would think that some other platforms like older AIX, Solaris, HP-UX > etc. may have this issue too, but I've not worked on those extensively. F Solaris 11 and Solaris 10 are definitely fine. Solaris 9 is now so old that i'm not very diligent about supporting it any longer. There was a mandoc port for AIX many years ago, and people have occasionally done light testing on AIX in recent years, but no such issue came up. I'm not aware that anyone ever tested on HP-UX, that system doesn't appear to be used a lot. > On your question of whether or not we have ports or anything, not > currently. No problem, so i'll just link to these build instructions: > I usually, for now, keep patches and references in "Xenopatches" here: > http://gitea.irixce.org/Raion/Xenopatches/src/branch/master/mandoc > > So pragmatically, once I figure out how to get it all together, you can > link here and I'll include a build instructions file. Once Nekoware II > is packaging tardists again, you can link back to nekoware II's homepage. Thanks for your information about Nekoware II. For now, i have added links to ports.html and porthistory.html as shown below. Speak up if you think there is a better way. Yours, Ingo Index: porthistory.html =================================================================== RCS file: /home/cvs/mandoc/www/porthistory.html,v retrieving revision 1.52 diff -u -r1.52 porthistory.html --- porthistory.html 4 Mar 2020 03:19:07 -0000 1.52 +++ porthistory.html 27 Aug 2020 17:58:28 -0000 @@ -36,6 +36,7 @@ illumos (2019 May 30, Michal Nowak) Alpine Linux (2019 Aug 25) Fedora (2019 Oct 16, David Cantrell) + IRIX Nekoware II (2020 June 2, Kazuo Kuroi)
  • 1.14.4 (2018 Aug 8): Void Linux (2018 Aug 8, Leah Neukirchen) Index: ports.html =================================================================== RCS file: /home/cvs/mandoc/www/ports.html,v retrieving revision 1.78 diff -u -r1.78 ports.html --- ports.html 4 Mar 2020 03:20:27 -0000 1.78 +++ ports.html 27 Aug 2020 17:54:42 -0000 @@ -245,6 +245,17 @@ — + IRIX + 1.14.5 + — + — + 2020 June 2 + — + — + — + — + + Crux Linux 1.14.3 — @@ -559,6 +569,15 @@ >macports/mandoc dito — + + + IRIX + Xenopatches/mandoc + work in progress + Kazuo Kuroi, Nekoware II Crux Linux -- To unsubscribe send an email to discuss+unsubscribe@mandoc.bsd.lv