From nobody Tue Jan 11 21:08:50 2022
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 923731960F8D
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Tue, 11 Jan 2022 21:08:56 +0000 (UTC)
	(envelope-from se@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JYNbX0193z3wRm;
	Tue, 11 Jan 2022 21:08:55 +0000 (UTC)
	(envelope-from se@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1641935336;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=f/MTcg3mCWSOVWMubL+bDZTdMGQ5M4bw216FmMArpcY=;
	b=CpGYJi5MezieeBLuuIDJHq+MCmPEM8Ucy8koT7ZOZ9GJImeV51DzIJ4nudX9N5m1VXPjBo
	cJrCr/V/XuhOJzspkf4WQnJPAHJiw3bsuXCA35BFtrCPYeLgMg62LTHfkxstiUVqB5HSqW
	hvKhW8Gy4+Y+DaZ3GSaGWg8svb7uxP4lPOBUdgLhaOeEfQJBr3kNJaQN/jeCZp6bDNBSWo
	m28CGT8C5LhUyQ8YMF8K6Vrey3KASnnDX8yvTOVG6veJoCiZn5ddtrPVb6B7eHl/yLXCWQ
	lilb6sPHHkfymcXZD+ZaHjhqyUfu8eiGiUkuWUOSWYLgT7g2P0BpMGGgMf0GLg==
Received: from [IPV6:2003:cd:5f26:900:c492:67dd:8868:a80d] (p200300cd5f260900c49267dd8868a80d.dip0.t-ipconnect.de [IPv6:2003:cd:5f26:900:c492:67dd:8868:a80d])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(Client did not present a certificate)
	(Authenticated sender: se/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id D13658C91;
	Tue, 11 Jan 2022 21:08:54 +0000 (UTC)
	(envelope-from se@FreeBSD.org)
Message-ID: <7babd754-6dab-223a-7bfd-ff06f10c71e2@FreeBSD.org>
Date: Tue, 11 Jan 2022 22:08:50 +0100
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0)
 Gecko/20100101 Thunderbird/91.4.1
Subject: Re: UBSAN report for main [so: 14] /usr/bin/whatis: non-zero (48) and
 zero offsets from null pointer in qsort.c
Content-Language: en-US
To: Mark Millard <marklmi@yahoo.com>
Cc: bugs@openbsd.org, freebsd-current <freebsd-current@freebsd.org>,
 Baptiste Daroussin <bapt@FreeBSD.org>
References: <A4577E70-AB32-450F-A3F6-A2B42B09A1B3.ref@yahoo.com>
 <A4577E70-AB32-450F-A3F6-A2B42B09A1B3@yahoo.com>
 <35333abc-9d4a-4b78-586d-1e869df4f9d4@FreeBSD.org>
 <BEFB4665-F32B-4AA0-BE4A-5ABB8B973012@yahoo.com>
From: Stefan Esser <se@FreeBSD.org>
In-Reply-To: <BEFB4665-F32B-4AA0-BE4A-5ABB8B973012@yahoo.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------so9aXA5pmnmGs0EZ0xCJDgxM"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1641935336;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=f/MTcg3mCWSOVWMubL+bDZTdMGQ5M4bw216FmMArpcY=;
	b=TBo4ph10iVIiqyPEb5T5203any3khggnmdwCJlfPajCv6rasCvXJhsksDeRArjQ9mtwlHG
	svaF5nVrG1qTgopSSeEIepofkrDML/KQvd154satVVEroLGz+FdFT6fFbXy+j4iFPPXAI+
	ImYPzRwD1BCMRijyvTILGpHX/FPWaIsXkER6JubKLs8CCb6AiZ2LRyCn5nNtL4Xds01txn
	sOUehUPXlVZlGKYJFVtXbvOYpLc5+VaBVwns3q/BPdRxqqx0v8juCQuAyK/VHwZGIuljxj
	lE9PYlS3UVgErEunrKiXxSfJH032fgPrMJz2QKnjqntYhOwWGxDKbjWbZ8EULQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1641935336; a=rsa-sha256; cv=none;
	b=FlgxjRvtS9LpKnps2LTXpxpKMJ+wD544YWPgcY5BqzG93oRdZie2ICnVmxMSMxNqgXcVp6
	WYg2tsh2mJjasnQ8Xl/cIitjp+4T4btUYADKN1nM5hsWZhZC+AdSlN8/Et65ZjZR0/cwQv
	GsoMMqmReby8lsr77So24Al+r7XRxYMviIWqRLsJTpad0qn0S55kfgQTnBW9jltAWr5MOF
	JPeILe8GEYEO5k+/LRDb68kWefw6PVY1fMEXWhjs4vPNQynfeOLv7/nl2VNdfmPJ+rVW+R
	chM5uVyCAGseKtHojiP3TlPHosDD4LGf54QG4TeGSigrwCoLk2l0EMsWFvco+Q==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------so9aXA5pmnmGs0EZ0xCJDgxM
Content-Type: multipart/mixed; boundary="------------3PXzrn6hY9M6pIwW3w6IdnxA";
 protected-headers="v1"
From: Stefan Esser <se@FreeBSD.org>
To: Mark Millard <marklmi@yahoo.com>
Cc: bugs@openbsd.org, freebsd-current <freebsd-current@freebsd.org>,
 Baptiste Daroussin <bapt@FreeBSD.org>
Message-ID: <7babd754-6dab-223a-7bfd-ff06f10c71e2@FreeBSD.org>
Subject: Re: UBSAN report for main [so: 14] /usr/bin/whatis: non-zero (48) and
 zero offsets from null pointer in qsort.c
References: <A4577E70-AB32-450F-A3F6-A2B42B09A1B3.ref@yahoo.com>
 <A4577E70-AB32-450F-A3F6-A2B42B09A1B3@yahoo.com>
 <35333abc-9d4a-4b78-586d-1e869df4f9d4@FreeBSD.org>
 <BEFB4665-F32B-4AA0-BE4A-5ABB8B973012@yahoo.com>
In-Reply-To: <BEFB4665-F32B-4AA0-BE4A-5ABB8B973012@yahoo.com>

--------------3PXzrn6hY9M6pIwW3w6IdnxA
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Am 11.01.22 um 21:08 schrieb Mark Millard:
> On 2022-Jan-11, at 05:19, Stefan Esser <se@freebsd.org> wrote:
[...]
>> The undefined behavior is caused by insufficient checking of parameter=
s
>> in mansearch.c.
>>
>> As part of the initializations performed at the start of mansearch(),
>> the variables cur and *res are initialized to 0 resp. NULL:
>>
>> 	cur =3D maxres =3D 0;=09
>> 	if (res !=3D NULL)
>> 		*res =3D NULL;
>>
>> If no match is found, these values are unchanged at line 223, where re=
s
>> is checked to be non-NULL, but then *res is passed to qsort() and that=

>> is still NULL.
>>
>> Suggested fix (also attached to avoid white-space issues):
>>
>> --- usr.bin/mandoc/mansearch.c
>> +++ usr.bin/mandoc/mansearch.c
>> @@ -220,7 +220,7 @@
>> 	if (cur && search->firstmatch)
>> 		break;
>> 	}
>> -	if (res !=3D NULL)
>> +	if (res !=3D NULL && *res !=3D NULL)
>> 		qsort(*res, cur, sizeof(struct manpage), manpage_compare);
>> 	if (chdir_status && getcwd_status && chdir(buf) =3D=3D -1)
>> 		warn("%s", buf);
>>
>> (File name as in OpenBSD, it is contrib/mandoc/mansearch.c in FreeBSD.=
)
>=20
> Cool. Thanks.
>=20
> (But I'm not a committer so someone else
> will have to deal with doing an update to
> the file in git --and likely MFC'ing it.)
>=20
> =3D=3D=3D
> Mark Millard
> marklmi at yahoo.com
>=20

I have submitted a bug report to our upstream (OpenBSD), but the
issue could also be fixed (or rather undefined behavior prevented)
by a simple patch that makes qsort() detect the NULL pointer:

diff --git a/lib/libc/stdlib/qsort.c b/lib/libc/stdlib/qsort.c
index 5016fff7895f..51c41e802330 100644
--- a/lib/libc/stdlib/qsort.c
+++ b/lib/libc/stdlib/qsort.c
@@ -108,6 +108,8 @@ local_qsort(void *a, size_t n, size_t es, cmp_t *cmp,=
 void
*thunk)
 	int cmp_result;
 	int swap_cnt;

+	if (__predict_false(a =3D=3D NULL))
+		return;
 loop:
 	swap_cnt =3D 0;
 	if (n < 7) {

This would also work to prevent the NULL pointer arithmetik for
ports that might also path a =3D=3D NULL and n =3D=3D 0 in certain cases.=


I'll apply this patch tomorrow, if there are no objections.

Regards, STefan

--------------3PXzrn6hY9M6pIwW3w6IdnxA--

--------------so9aXA5pmnmGs0EZ0xCJDgxM
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEo3HqZZwL7MgrcVMTR+u171r99UQFAmHd8eIFAwAAAAAACgkQR+u171r99UQr
ZAf+K0z2y4yiqFHAMP0tV/OBU7De/LL5J+Yjzx941LcPUBNt4T9mclLV9w6aIijP+mUJ7UG5qD+D
ULyxRQcQ3qkDND/8oc0prceo0fzi8fmeK1Jq54+jwR4VX+siWzq3+hnKYV8YBmSbmAcrRpnd9YgT
ZaCJvkPddKMXzQan/Ke2so2I4NFiOxLKDkm2jHu+idov9EsZOTUYkxvOHyGBPQ55CZ131PrkbMnE
qnQjwHUg06S/SIJFxIAWmLOy9ctmsgizFA4hmysqZA+dZ1Zk22I9kxPxgCnM0RCpbFbHW6tD7iwk
6hiwZjCzR6L6ucoztK7+iaaec2AtR9JMZ48fTXg1NA==
=P3g4
-----END PGP SIGNATURE-----

--------------so9aXA5pmnmGs0EZ0xCJDgxM--