Patch Name: PHCO_30533 Patch Description: s700_800 11.11 csh(1) cumulative patch Creation Date: 04/06/21 Post Date: 04/07/07 Hardware Platforms - OS Releases: s700: 11.11 s800: 11.11 Products: N/A Filesets: OS-Core.CMDS-MIN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP OS-Core.CMIN-ENG-A-MAN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP Automatic Reboot?: No Status: General Release Critical: No (superseded patches were critical) PHCO_28329: ABORT PHCO_26561: ABORT Category Tags: defect_repair general_release critical halts_system Path Name: /hp-ux_patches/s700_800/11.X/PHCO_30533 Symptoms: PHCO_30533: ( SR:8606347470 CR:JAGaf08292 ) csh(1) limits the environment variable to 2k when noglob mode is unset. ( SR:8606358873 CR:JAGaf19569 ) csh does not support 10240 chars for environment variable when double quoted. ( SR:8606365127 CR:JAGaf25762 ) csh(1) built-in 'limit' displays incorrect value for the resource datasize. ( SR:8606366064 CR:JAGaf26693 ) csh(1) built-in 'echo' exits with an error message when there is '\' at the end of the string. PHCO_28329: ( SR:8606330227 CR:JAGae91350 ) 1. csh(1) dumps core when a multibyte string of size greater than 4118 characters is passed to builtin echo. ( SR:8606330228 CR:JAGae91351 ) 2. man page for csh(1) incorrectly shows 60 instead of 600 for the initial value of "autologout". PHCO_26561: ( SR:8606242998 CR:JAGae10232 ) csh(1) misbehaves when the file system is full. ( SR:8606181552 CR:JAGad50768 ) csh(1) dumps core if kill character is > 0x20(@), and behaves inconsistantly if erase character is > 0x20. ( SR:8606259489 CR:JAGae23807 ) csh(1) has problems when just the right number of file descriptors are open at the time it is invoked. PHCO_25082: ( SR:8606105829 CR:JAGab74169 ) When multibyte characters, which are got as a result of evaluating an expression using `` (backquotes) are passed to csh(1), it gives an error message "backeval(1): Invalid multibyte character" intermittently. ( SR:8606163597 CR:JAGad32901 ) csh(1) fails with input redirection involving ~username. PHCO_24810: ( SR:8606211224 CR:JAGad80412 ) cshell script returns "if: Expression syntax" when there is 3 or more levels of source indirections. Defect Description: PHCO_30533: ( SR:8606347470 CR:JAGaf08292 ) csh(1) limits the environment variable of command substitution to 2k bytes when noglob mode is unset. The csh(1) manpage says that the limit for a word is 10240 bytes. The problem can be reproduced as follows: $ csh % set VAR=`yes | head -2046 | tr -d "\012"` % echo $VAR | wc 1 1 2047 % set VAR=`yes | head -2047 | tr -d "\012"` Pathname too long. <===== wrong behavior % set noglob % set VAR=`yes | head -2047 | tr -d "\012"` % echo $VAR | wc 1 1 2048 % unset noglob % set VAR=`yes | head -2047 | tr -d "\012"` Pathname too long. <====== wrong behavior Resolution: csh(1) has been modified to handle environment variable of size greater than 2K bytes when noglob is unset. ( SR:8606358873 CR:JAGaf19569 ) csh(1) limits the resulting word of command substitution to 10237(if quoted) bytes when glob mode is set. The csh(1) manpage says that the limit for a word is 10240 bytes. The problem can be reproduced as follows: $cat a.c #include int main() { int i=0; for(i=0;i<10237;i++) printf("A"); printf("\n"); return 0; } $cc a.c -o a $./a > LARGESTRING $ll LARGESTRING -rw-rw-rw- 1 vts ssgrp 10238 Apr 15 11:58 LARGESTRING ^^^^^ (includes newline at end) create a script to assign large string(10237) to one variable and expand that variable using csh shell. $cat test1 #!/usr/bin/csh set A=`cat LARGESTRING` echo "$A" $chmod 0555 test1 $/usr/bin/csh %./test1 Word too long. Resolution: csh is modified to handle the word length upto 10240 characters. ( SR:8606365127 CR:JAGaf25762 ) Built-in command 'limit' of csh(1) is displaying incorrect value for datasize if it is set to a value greater than 2GB. The problem can be reproduced by the following steps: 1. Set the kernel tunable maxdsiz to 2GB. (To set this kernal tunable, SAM can be used as super user.) 2. Run the below command. # csh -c "limit datasize" datasize -2097152 kbytes ^^^^^^^^ csh(1) displays negative value for datasize if maxdsiz is set to value greater than 2GB. Resolution: csh(1) has been modified to display correct value of datasize. ( SR:8606366064 CR:JAGaf26693 ) The csh(1) built-in command 'echo' exits with error "display_char(1): Invalid multibyte character" if the input string contains '\' as the last character. This is happening in multibyte locale environment. The problem can be reproduced by the following steps: $ /usr/bin/csh % setenv LANG ja_JP.SJIS % echo "Test\" Test\display_char(1): Invalid multibyte character. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Resolution: csh(1) is modified to handle the string with '\' at the end. PHCO_28329: ( SR:8606330227 CR:JAGae91350 ) 1. If a multibyte string of size greater than 4118 characters is passed to builtin echo then csh(1) dumps core. Problem can be reproduced using the below script: $ cat test.sh #!/usr/bin/csh setenv LANG ja_JP.SJIS set i=0 set NAME= while (( $i < $1)) set NAME=${NAME}"A" @ i++ end echo $NAME $ ./test.sh 4118 Illegal instruction(coredump) We were using a wide character buffer of size 4096 bytes to store the wide character converted input multibyte string. In the above case the converted wide character string was exceeding the buffer size resulting in core dump. Resolution: csh(1) has been modified to allocate memory dynamically for the buffer based on the input multibyte string length. ( SR:8606330228 CR:JAGae91351 ) 2. man page of csh states that the initial value of "autologout" is 60. This is incorrect since csh(1) set the value of "autologout" to 600 initially. Problem can be validated using the below script: $ cat test.sh #!/usr/bin/csh echo $autologout $ ./test.sh 600 Note that the initial value of "autologout" is 600. Resolution: man page has been updated to display the correct initial value of "autologout". PHCO_26561: ( SR:8606242998 CR:JAGae10232 ) csh(1) misbehaves when the file system is full. Resolution: Problem has been fixed. ( SR:8606181552 CR:JAGad50768 ) In csh code, on receiving control characters (0 to 0x20 and 0177) all the multibyte characters left in the input buffer are converted into wide characters. While processing the kill and erase characters the code assumed that all the characters in the input buffer got converted to wide characters. But this was not the case as the value of kill and erase characters is greater than 0x20 and not equal to 0177. This resulted in buffer underflow. The problem can be reproduced as follows: 1.$ export LANG=ja_JP.SJIS 2.$ /usr/bin/csh 3.% stty kill @ 4.% ls@ Memory fault(coredump) Resolution: Now the code is modified to convert all the multibyte characters in the input buffer to wide chars even in the case of kill and erase characters. ( SR:8606259489 CR:JAGae23807 ) csh creates some fixed file descriptors for its use. These fixed file descriptors are used instead of the usual 0,1,2. At some point of time when a catalog file descriptor is initialised , it coincides with one of the fixed file descriptors. When the catalog file descriptor gets closed, one of the fixed file descriptor gets closed. The problem can be reproduced as follows: 1. Create a c program $ cat open_test.c #include #include #include #include extern int errno ; void main() { FILE *fp ; int i ,j ,ret ; for(i=0; i<20; i++) { printf("***** count=%d\n", i) ; errno = 0 ; ret = system("./test.csh") ; if( !(fp = fopen("temp.txt", "r")) ) { printf("*fopen error %d \n", errno) ; exit(1); } if((ret = unlink("temp.txt"))) printf("remove error ret=%d errno=%d\n", ret, errno) ; } } 2. compile the above program cc -o open_test -O open_test.c 3. Create a test.csh cat > test.csh #! /usr/bin/csh ls -l > "temp.txt" 4. Invoke csh as a login shell 5. setenv LANG C 6. Execute open_test 7. open_test gives "*fopen error 2". Resolution: The code has been modified to ensure that the catalog file descriptor will take the value other than the fixed file descriptors. PHCO_25082: ( SR:8606105829 CR:JAGab74169 ) In case of back quoted expressions, csh(1) creates a pipe and forks a child process. The child process is writing the data into the pipe which it gets from the output of the back quoted expression, at time slices. The child is writing byte by byte basis, not character by character basis.The parent reads the data from the pipe byte by byte and calls mbtowc() to convert into multibyte characters. Some times mbtowc() will be left with less than required number of bytes to form a multibyte character, because the remaining bytes are not sent by the child. Thus the parent which receives -1 from mbtowc() gives out an error message "backeval(1): Invalid multibyte character" . Resolution: The csh(1) has been modified so that the parent process reads once again from the pipe, when mbtowc() returns -1 and still if it is not able to form a multibyte character then an error message "backeval(1): Invalid multibyte character" will be issued. ( SR:8606163597 CR:JAGad32901 ) csh(1) input redirection does not work correctly with ~ operator. getpwnam() library routine keeps some of the file descriptors open,which cause problems in csh(1) input/output redirection. Resolution: csh(1) wrongly assumes that file descriptors 0, 1 and 2 are closed. But the underlying layer keeps them open and this caused the problem.Now the file descriptors are closed to fix the problem. PHCO_24810: ( SR:8606211224 CR:JAGad80412 ) csh script returns "if: Expression syntax " failure when there is more than 3 level of source indirections. This is due to underrun of the allocated memory. Resolution: A condition for avoiding underrun has been introduced. Enhancement: No SR: 8606105829 8606163597 8606181552 8606211224 8606242998 8606259489 8606330227 8606330228 8606347470 8606358873 8606365127 8606366064 Patch Files: OS-Core.CMDS-MIN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP: /usr/bin/csh OS-Core.CMIN-ENG-A-MAN,fr=B.11.11,fa=HP-UX_B.11.11_32/64, v=HP: /usr/share/man/man1.Z/csh.1 what(1) Output: OS-Core.CMDS-MIN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP: /usr/bin/csh: sh.dol.c $Date: 2002/03/11 05:10:46 $Revision: r11.1 1/2 PATCH_11.11 (PHCO_26561) sh.func.c $Date: 2004/06/03 01:46:35 $Revision: r11. 11/6 PATCH_11.11 (PHCO_30533) sh.glob.c $Date: 2004/02/26 07:00:03 $Revision: r11. 11/2 PATCH_11.11 (PHCO_30533) sh.misc.c $Date: 2001/09/07 07:55:37 $Revision: r11. 11/1 PATCH_11.11 (PHCO_25082) sh.c $Date: 2002/09/19 04:08:16 $Revision: r11.11/3 PATCH_11.11 (PHCO_26561) tenex.c $Date: 2002/09/19 04:08:16 $Revision: r11.11 /3 PATCH_11.11 (PHCO_26561) $Revision: vw: -f selectors: R11.11_BL2004_0621_1 PHCO_30533 'R11.11_BL2004_0621_1' OS-Core.CMIN-ENG-A-MAN,fr=B.11.11,fa=HP-UX_B.11.11_32/64, v=HP: /usr/share/man/man1.Z/csh.1: None cksum(1) Output: OS-Core.CMDS-MIN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP: 2865706112 155648 /usr/bin/csh OS-Core.CMIN-ENG-A-MAN,fr=B.11.11,fa=HP-UX_B.11.11_32/64, v=HP: 937412551 33217 /usr/share/man/man1.Z/csh.1 Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_28329 PHCO_26561 PHCO_25082 PHCO_24810 Equivalent Patches: None Patch Package Size: 150 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_30533 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHCO_30533.depot By default swinstall will archive the original software in /var/adm/sw/save/PHCO_30533. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHCO_30533.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHCO_30533.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_30533.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None