hp-ux 11.11 64bits printf oracle bug

likid0 — Mon, 05 Jul 2010 09:14:15 GMT

Hi,

Our db team, passed us this problem they are having after updating oracle to version 9.2.0.8, oracle is dumping a core. Do you know if there is a SO patch for this bug?.

hp-ux: 11.11. 64 bits

# PHCO_27577 1.0 printf(1) cumulative patch
# PHCO_32761 1.0 libc cumulative patch

Bug 6925880: ORA-7445: [__DOPRNT_WIDE()+12112]

Bug Attributes
Type B - Defect Fixed in Product Version -
Severity 2 - Severe Loss of Service Product Version 9.2.0.8.0
Status 95 - Closed, Vendor OS Problem Platform 59 - HP-UX PA-RISC (64-bit)
Created 28-Mar-2008 Platform Version -
Updated 26-Jan-2009 Base Bug -
Database Version 9.2.0.8.0
Affects Platforms Generic
Product Source Oracle

This looks like a problem in HPUX but you could probably argue
about it. In the trace notice that we are attempting to write
out the bind value. For this we use vsnprintf() and the
dump occurs under there, notably on a page aligned address.

The problem is that printf() and variants (vsnprintf, sprintf
etc..) have a problem on HPUX with a format string / args of
the form ("%.*s",N,P) if the address P+N is not accessible. For such
a call into printf() we are only asking to output the first N
characters and so printf() should only need to look at addresses
P+0 to P+N-1 inclusive, but on HPUX printf() is looking at address
P+N. For tracing bind values, and other places, strings in Oracle
are stored as a separate length and content and so there is no
trailing NULL and it is possible for a string content to end
on a page boundary such that the next byte is not accessible.
This is what is happening in the trace - the page after the
string content is not mapped to the process and so when printf
tries to access it (which it should not need to as it is
beyond the supplied length) it gets a fault.
I have uploaded a simple C program
that contains the following code to show the problem. This uses
page protection to show printf() reading past the length
supplied and only fails on HPUX. It works fine on Linux,
Solaris and AIX.

#include
#include

main()
{
char * p=(char *)valloc(2*8192);
char * p2=p+8192;
char * txt=p2-16;
int i;

for (i=0; i<16; i++) txt[i]='A'+i;
printf("Value before protection \"%.*s\"\n\n",16,txt);

if (mprotect(p2,8192,PROT_NONE)<0)     {
        perror("mprotect failed");
        printf("Cannot do test, mprotect failed\n"); exit(1);
}
printf("txt=%p, Protected from=%p\n",txt,p2);

printf("accessing one byte at a time: ");
for (i=0; i<16; i++) printf("%c",txt[i]);
printf("\n");

printf("\n");
printf("Using %%.*s format with len=16\n");
printf("\"%.*s\"\n",16,txt);
}

I would suggest that you contact HP with this test program
to see if they have a C library fix for printf() so that
it does not read more than N characters into a string buffer
when N has been supplied.
*** 03/31/08 04:37 am ***
The test program fails on HPUX compiled 64bit thus:

Value before protection "ABCDEFGHIJKLMNOP"

txt=8000000100007ff0, Protected from=8000000100008000
accessing one byte at a time: ABCDEFGHIJKLMNOP

Using %.*s format with len=16
Bus error (core dumped)

In this example there is a string of 16 characters at
8000000100007ff0 which read ABCDEFGHIJKLMNOP with
the P at 8000000100007fff. 8000000100008000 is not
accessible but we asked to printf the first 16
characters of the string only so printf should not
need to access past 8000000100007fff, but it tries
to and dumps.

Re: hp-ux 11.11 64bits printf oracle bug

likid0 — Mon, 05 Jul 2010 14:53:19 GMT

Fixed with patch PHCO_40310

topic hp-ux 11.11 64bits printf oracle bug in Operating System - HP-UX

hp-ux 11.11 64bits printf oracle bug

Re: hp-ux 11.11 64bits printf oracle bug