[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #55475] Segmentation fault in relocatep - groff 1.22.3

From: Danny Milosavljevic
Subject: [bug #55475] Segmentation fault in relocatep - groff 1.22.3
Date: Wed, 16 Jan 2019 05:05:40 -0500 (EST)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Follow-up Comment #3, bug #55475 (project groff):

We hit the bug I described in production in the Guix distribution (100%
reproducible without racing-deleting any executable or anything like that). 
It's not a theoretical problem.  See also
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30785 for the Guix bug report
(it was a nightmare to find the cause).

I think (but have no direct evidence) that searchpath returns NULL because we
see that curr_prefix ended up NULL (we saw that in a backtrace).  Since
curr_prefix is only set to the allocation using "new char[...]" and then to
the result of the searchpath() call, assuming we have enough RAM (we do), that
leaves the searchpath() call as only possible culprit.

I suspect that argv[0] is either NULL or some funny string that has nothing to
do with the executable (that's permissible and can be done by the invoker) and
searchpath() then can't access or realpath() it.

realpath() can fail because of: search permission denied, path is NULL, I/O
error, loop in symbolic links, name too long, named file does not exist (!),
out of memory and if some non-leaf part of the path isn't a directory.

preconv is called by man via libpipeline and we don't have any experience what
funny stuff it does.

Anyway, we will patch it locally by disabling the entire rube goldberg thing,
substituting "-DENABLE_RELOCATABLE=1" by the empty string.  Then it works


Reply to this item at:


  Message sent via Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]