Bug 144745 - Segfault problem with man -k "map "
Segfault problem with man -k "map "
Product: Fedora
Classification: Fedora
Component: man (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Ivana Varekova
Depends On:
  Show dependency treegraph
Reported: 2005-01-10 22:15 EST by Neo
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-06-20 04:56:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
segfault band aid (346 bytes, patch)
2005-01-11 08:03 EST, Sitsofe Wheeler
no flags Details | Diff
Quote the keyword parameter (allows spaces) (378 bytes, patch)
2005-01-11 08:13 EST, Sitsofe Wheeler
no flags Details | Diff

  None (edit)
Description Neo 2005-01-10 22:15:47 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041107 Firefox/1.0

Description of problem:
I am running FC3 inside Microsoft Virtual PC 2004/SP1 and my kernel is
the latest 2.6.10-1.737.

A copy of the output after run the command:

[neo@fedora ~]$ man -k "map "
sh: /unsafe/: No such file or directory
Error executing formatting or display command.
System command /unsafe/ exited with status 32512.
Segmentation fault

Does this mean anything special to security? It is a bug?

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Start a Shell window.
2. Type man -k "map " (note there is a space after the word map).

Actual Results:  sh: /unsafe/: No such file or directory
Error executing formatting or display command.
System command /unsafe/ exited with status 32512.
Segmentation fault

Expected Results:  (Should not have segfault)

Additional info:
Comment 1 Sitsofe Wheeler 2005-01-11 07:59:41 EST
This is probably harmless because I don't know of many programs that call man -k
(but you never know). This was a complete pain in the neck to chase down because
man is compiled without -g AND linked with -s so all the debug symbols go out of
the window before anyone can get their hands on them...

Here's what valgrind had to say:
==5683== Invalid free() / delete / delete[]
==5683==    at 0x1B902FB1: free (vg_replace_malloc.c:153)
==5683==    by 0x804B1C2: do_apropos (man.c:1225)
==5683==    by 0x804B3A6: main (man.c:1332)
==5683==  Address 0x804F25B is not stack'd, malloc'd or (recently) free'd

The problem appears to be that my_xsprintf notices that spaces are bad as %s
parameters and returns the string constant "/unsafe/" as the command to run
instead. Unfortunately there is no way to know that you received a string
constant back and that the constructed command was not dynamically allocated so
a little bit later an attempt is made to free that constant.

A band aid solution for the segfault would be the following:
--- util.c.orig 2003-09-05 10:48:13.000000000 +0100
+++ util.c      2005-01-11 12:45:39.000000000 +0000
@@ -272,7 +272,7 @@
                        case 'S': /* check and turn into 's' */
                                ss = va_arg(p, char *);
                                if (!is_shell_safe(ss, (s[1] == 'Q')))
-                                       return NOT_SAFE;
+                                       return my_strdup(NOT_SAFE);
                                len += strlen(ss);
                                s[1] = 's';

Giving the user back a meaningful error (illegal characters in keyword) is going
to be a trickier problem.

On another note I am wondering whether the second parmater should be quoted to
allow "map " to work. I don't know whether it opens up another problem but I
can't see one at first glance...
Comment 2 Sitsofe Wheeler 2005-01-11 08:03:05 EST
Created attachment 109600 [details]
segfault band aid
Comment 3 Sitsofe Wheeler 2005-01-11 08:13:38 EST
Created attachment 109601 [details]
Quote the keyword parameter (allows spaces)
Comment 4 Jack Spaar 2005-01-31 19:35:26 EST
Just got bit by this.  (My FC3 is running natively, no Virtual PC.)
apropos works instead for now. 
Comment 5 Neo 2005-02-01 01:17:28 EST
Just to give developers more information. I just found out that if you
include a white space in the param to -k, it will segfault.

man -k " "
Comment 6 Ivana Varekova 2005-03-15 03:50:24 EST
Thank you for your notices.
This problem was fixed in the latest version of man (man-1.5p-1).
If there is still problem with man -k please reopen this bug.
Ivana Varekova
Comment 7 Neo 2005-06-18 20:48:27 EDT
I think it is still bugging. Try this:
man -k "$<"

What I get is:
not executing command:
Comment 8 Ivana Varekova 2005-06-20 04:56:53 EDT
There are forbidden characters in man -k keyword parameter. (<,>,|,..). If you
enter some keyword containing these characters, man writes previous error message.

Note You need to log in before you can comment on or make changes to this bug.