Operating System - HP-UX
1747984 Members
4202 Online
108756 Solutions
New Discussion

hp-ux 11.11 64bits printf oracle bug

 
likid0
Honored Contributor

hp-ux 11.11 64bits printf oracle bug

Hi,

Our db team, passed us this problem they are having after updating oracle to version 9.2.0.8, oracle is dumping a core. Do you know if there is a SO patch for this bug?.

hp-ux: 11.11. 64 bits

# PHCO_27577 1.0 printf(1) cumulative patch
# PHCO_32761 1.0 libc cumulative patch



Bug 6925880: ORA-7445: [__DOPRNT_WIDE()+12112]

Bug Attributes
Type B - Defect Fixed in Product Version -
Severity 2 - Severe Loss of Service Product Version 9.2.0.8.0
Status 95 - Closed, Vendor OS Problem Platform 59 - HP-UX PA-RISC (64-bit)
Created 28-Mar-2008 Platform Version -
Updated 26-Jan-2009 Base Bug -
Database Version 9.2.0.8.0
Affects Platforms Generic
Product Source Oracle

This looks like a problem in HPUX but you could probably argue
about it. In the trace notice that we are attempting to write
out the bind value. For this we use vsnprintf() and the
dump occurs under there, notably on a page aligned address.

The problem is that printf() and variants (vsnprintf, sprintf
etc..) have a problem on HPUX with a format string / args of
the form ("%.*s",N,P) if the address P+N is not accessible. For such
a call into printf() we are only asking to output the first N
characters and so printf() should only need to look at addresses
P+0 to P+N-1 inclusive, but on HPUX printf() is looking at address
P+N. For tracing bind values, and other places, strings in Oracle
are stored as a separate length and content and so there is no
trailing NULL and it is possible for a string content to end
on a page boundary such that the next byte is not accessible.
This is what is happening in the trace - the page after the
string content is not mapped to the process and so when printf
tries to access it (which it should not need to as it is
beyond the supplied length) it gets a fault.
I have uploaded a simple C program
that contains the following code to show the problem. This uses
page protection to show printf() reading past the length
supplied and only fails on HPUX. It works fine on Linux,
Solaris and AIX.

#include
#include

main()
{
char * p=(char *)valloc(2*8192);
char * p2=p+8192;
char * txt=p2-16;
int i;

  for (i=0; i<16; i++) txt[i]='A'+i;
  printf("Value before protection \"%.*s\"\n\n",16,txt);

  if (mprotect(p2,8192,PROT_NONE)<0)     {
        perror("mprotect failed");
        printf("Cannot do test, mprotect failed\n");  exit(1);
  }
  printf("txt=%p, Protected from=%p\n",txt,p2);

  printf("accessing one byte at a time: ");
  for (i=0; i<16; i++) printf("%c",txt[i]);
  printf("\n");

  printf("\n");
  printf("Using %%.*s format with len=16\n");
  printf("\"%.*s\"\n",16,txt);
}


I would suggest that you contact HP with this test program
to see if they have a C library fix for printf() so that
it does not read more than N characters into a string buffer
when N has been supplied.
*** 03/31/08 04:37 am ***
The test program fails on HPUX compiled 64bit thus:

  Value before protection "ABCDEFGHIJKLMNOP"

  txt=8000000100007ff0, Protected from=8000000100008000
  accessing one byte at a time: ABCDEFGHIJKLMNOP

  Using %.*s format with len=16
  Bus error (core dumped)

In this example there is a string of 16 characters at
8000000100007ff0 which read ABCDEFGHIJKLMNOP with
the P at 8000000100007fff. 8000000100008000 is not
accessible but we asked to printf the first 16
characters of the string only so printf should not
need to access past 8000000100007fff, but it tries
to and dumps.
Windows?, no thanks
1 REPLY 1
likid0
Honored Contributor

Re: hp-ux 11.11 64bits printf oracle bug

Fixed with patch PHCO_40310
Windows?, no thanks