Gentoo Base System version 1.4.2.5 Linux iBook 2.4.19-r6 #1 Sun Dec 22 17:43:40 EST 2002 ppc PowerBook4,1 man, version 1.5k -r-xr-sr-x 1 root man 52508 Sep 9 06:09 /usr/bin/man There is an overflow in make_roff_command() due to data passed from setpl() *i think* 16368 is the length to trigger overflow on PowerPC 16427 is the length to overwrite the instruction pointer ($pc) export MANPL=`perl -e 'print "A" x 16423'`ABCD (no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x0ff31cf0 in strcmp () from /lib/libc.so.6 #0 0x0ff31cf0 in strcmp () from /lib/libc.so.6 #1 0x10002610 in _SDA_BASE_ () #2 0x41424344 in () // This is the code that triggers this overflow.*I think* /* People prefer no page headings in their man screen output; now ".pl 0" has a bad effect on .SH etc, so we need ".pl N" for some large number N, like 1100i (a hundred pages). */ #define VERY_LONG_PAGE "1100i" static char * setpl(void) { char *pl; if (do_troff) return NULL; if (preformat) pl = VERY_LONG_PAGE; else if ((pl = getenv("MANPL")) == 0) { if (isatty(0) && isatty(1)) pl = VERY_LONG_PAGE; else pl = "11i"; /* old troff default */ } return pl; } ... # BUFSIZE is 8192 in man.c ... static char * make_roff_command (const char *file) { FILE *fp; static char buf [BUFSIZE]; char line [BUFSIZE], bufh [BUFSIZE], buft [BUFSIZE]; int status, ll; char *cp, *fgr, *pl; char *command = ""; const char *expander; /* if window size differs much from 80, try to adapt */ /* (but write only standard formatted files to the cat directory, see can_use_cache) */ ll = setll(); pl = setpl(); // OVERFLOW IS CAUSED HERE... if (ll && debug) gripe (NO_CAT_FOR_NONSTD_LL); expander = get_expander (file); /* head */ bufh[0] = 0; if (ll || pl) { /* some versions of echo do not accept the -e flag, so we just use two echo calls when needed */ strcat(bufh, "("); if (ll) { /* we should set line length and title line length */ /* however, a .lt command here fails, only .ev 1; .lt ...; .ev helps for my version of groff */ sprintf(eos(bufh), "echo \".ll %d.%di\"; ", ll/10, ll%10); #if 0 sprintf(eos(bufh), "echo \".lt %d.%di\"; ", ll/10, ll%10); #endif } if (pl) sprintf(eos(bufh), "echo \".pl %s\"; ", pl); // EXPLOIT HERE ?? } /* tail */
Had it on my work box, but when I wanted to recompile with debugging, I saw it was still groff-1.17 and man 1.5k-r0, after upgrade to: --------------------------- # epm -q groff man groff-1.18.1 man-1.5k-r1 --------------------------- I get: --------------------------- # export MANPL=`perl -e 'print "A" x 16423'`ABCD # man gcc ERROR: Environment variable MANPL too long! --------------------------- Please check what versions you have, and if not what I have, update and try again please.
Hi, any feedback ?
Before update.... on my ppc box I have... frieza root # epm -q groff man groff-1.17.2-r3 man-1.5k on my intel box its vegeta root # epm -q groff man groff-1.17.2-r3 man-1.5k After update... (ppc) frieza root # epm -q groff man groff-1.18-r3 man-1.5k You can see this in the man page at the top.But appears to have fixed the issue <standard input>:2: numeric overflow but there is no segfault like before. (i386) vegeta root # epm -q groff man groff-1.18.1 man-1.5k-r1 vegeta root # man id ERROR: Environment variable MANPL too long!
Ok, great.