Patch Name: PHCO_31160 Patch Description: s700_800 11.00 sh-posix(1) cumulative patch Creation Date: 04/07/06 Post Date: 04/08/04 Hardware Platforms - OS Releases: s700: 11.00 s800: 11.00 Products: N/A Filesets: OS-Core.CORE-ENG-A-MAN,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP OS-Core.UX-CORE,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP Automatic Reboot?: No Status: General Release Critical: Yes PHCO_31160: CORRUPTION MEMORY_LEAK ABORT In sh-posix shell, "set -A" leaks memory. Fix for sh-posix shell coredump problem if the command-line arguments contains any illegal multibyte characters. Consecutive SIGWINCH within a short span can cause the shell to abort abruptly. Using $(..) or `..` with data length of 1022 characters, causes part of the data to be lost. PHCO_29768: HANG Shell script communicating with a coprocess might hang. PHCO_28831: CORRUPTION Fix for sh-posix(1) memory corruption during variable expansion inside a here-doc. PHCO_27344: CORRUPTION MEMORY_LEAK OTHER HANG Fix for sh-posix(1) memory corruption in emacs mode of editing. Fix for memory leakage in sh-posix(1) when $i is used in a loop. Fix for sh-posix(1) hang when shell tries to output long strings (>1024 bytes) in a multibyte environment. Fix for sh-posix(1) hang on stdin read() with EIO. PHCO_26789: OTHER HANG This patch fixes the problem of the posix shell hanging when directory names involving symbolic links are parsed. This patch also fixes the POSIX shell to adhere to ISOC standards by recognizing octal and hexa decimal notations . Category Tags: defect_repair enhancement general_release critical halts_system corruption memory_leak Path Name: /hp-ux_patches/s700_800/11.X/PHCO_31160 Symptoms: PHCO_31160: 1. In sh-posix shell, "set -A" leaks memory. 2. Using $(..) or `..` with data length of 1022 characters, in sh-posix(1) script causes part of the data to be lost. 3. Uninitialized variables type defined using typeset and exported, will truncate the environment of the processes invoked from the child shells. 4. sh-posix shell coredumps if the command-line arguments contains any illegal multibyte characters. 5. Consecutive SIGWINCH within a short span can cause the shell to abort abruptly. PHCO_29768: 1. Non-interactive shells are not waiting for stopped child processes. 2. SIGNULL signal to a stopped process through kill built-in causes the stopped process to continue. 3. A shell script communicating with a coprocess might hang. 4. Shell should recognize numbers starting with 0 and 0x as octal and hexa-decimal respectively only if UNIX95 variable is defined. 5. Job control does not work in sequential lists. 6. Shell might overwrite existing files even when noclobber option is set. PHCO_28831: 1. In a shell script, if 'return' is immediately followed by '&', and the script is sourced, all commands after 'return' will be executed twice. 2. When using trap after a non-builtin command, executed with sh-posix(1) which is invoked with -c option, trap may not work as expected. 3. Variable expansion inside here-doc may not happen correctly. 4. sh-posix(1) does not handle the file-system related failures correctly. PHCO_27344: 1. sh-posix(1) with '-c' option, leaves temporary files when heredoc is used in functions. 2. sh-posix(1) corrupts memory in emacs mode of editing. 3. Memory leakage in sh-posix(1) when using $! in a loop. 4. sh-posix(1) -n reports "specified subscript cannot be greater than 1024". 5. Echo, built-in command of sh-posix(1), hangs. 6. sh-posix(1)(child of telnetd) loops infinitely on stdin read() with EIO. 7. sh-posix(1) dumps core with SIGSEGV. 8. PATH resolution problem in sh-posix(1). 9. sh-posix(1) removes here-doc before RHS of pipe can read it. 10.sh-posix(1) leaves temporary files . 11.sh-posix(1) does not remove "here-documents". PHCO_26789: 1. Incorrect positioning of cursor by sh-posix with command line editor set to "vi". 2. Incorrect display of prompt by sh-posix when prompt string contains escape characters. 3. Shell does an improper newline deletion during command substitution. 4. Shell does not process expression inside $((..)) as per ISOC standards. 5. Script using eval special builtin exits for ALL errors. 6. Shell creates temporary files with race condition. 7. Shell hangs when directory names involving symbolic links are parsed. 8. Shell script sometimes exits with the message "invalid multibyte character", even when the input data contains valid multibyte characters. PHCO_23873: 1. Shell core dumps on receiving an early SIGWINCH signal during its startup. 2. When a function, that calls a return builtin immediately after executing a nonshell builtin, is executed with -c option, shell exits abruptly. PHCO_22537: 1. sh-posix read does not set REPLY by default. 2. sh-posix gets SIGBUS when executing scripts. 3. sh-posix command buffer corrupted due to incorrect use of eval builtin. 4. dtterm exits on resizing of window for 12 times. 5. Using "print..\c" option results in displaying the incorrect prompt string. PHCO_20816: 1. The sh-posix dumps core during startup if sent an early SIGWINCH. 2. sh-posix uses /tmp for here documents hence large shar files cannot unpack. 3. When a process group is killed, sh-posix error message is misleading. 4. POSIX shell can fail login attempts if history file cannot be trimmed. 5. sh-posix dumps core with history in heterogeneous environment. PHCO_19054: 1. The 11.00 posix shell patch PHCO_18447 saves the previous install data in wrong directory. 2. sh-posix(1) exits after executing trap for SIGHUP. 3. File globbing in sh-posix(1) fails for large files. 4. Posix shell can not keep the correct cursor position on multibyte locale. PHCO_18447: 1. Cold-installing a 11.00 patch bundle results in a wrong version of /sbin/sh. After the cold-install of a 11.00 patch bundle which includes the posix shell patch PHCO_17321, swverify gives errors regarding /sbin/sh. 2. Filename pattern match and case pattern match fail in posix shell. 3. Posix shell coredumps with script using many heredocs. PHCO_17321: 1. Posix shell does not handle SIGWINCH appropriately while executing functions. 2. Posix shell dumps core when non-interpreter scripts are executed through "sh -c". 3. Posix shell does not source a file a second time if the file that is being sourced, defines a function with the same name as the file. 4. Posix shell command substitution in while list does not work as before. Behavior of posix shell seems to have changed from that of 10.10 posix shell unnecessarily. 5. Posix shell goes to infinite loop by receiving signal. 6. Posix shell does not handle command substitution involving variables of length 2047, 3071, etc. correctly. When a variable is assigned a string of length equal to 2047/3071/..., the result of command substitution using this variable retains only the last 1023 bytes of the variable. 7. Posix shell displays wrong value for ulimit -Sc. 8. Values of variables initialized as a prefix to invoking a script, are lost inside the script. The following commands loose the value of TERM inside the script. /usr/bin/sh "TERM=450 ./script" or /usr/bin/sh -c "TERM=450 ./script" where script just echos the value of TERM. The output from the above commands is not 450 as expected, but the value of TERM before invoking the command. 9. Posix shell does not wait for zombies while in vi/emacs input mode. When in vi/emacs input mode, processes are seen in the process list even after the background jobs terminate. They disappear once an is input on the terminal that started the job. 10. When set -e is on, sh-posix does not exit on encountering error while expanding the word list in a for statement. This happens even in a case statement and a pipe list. Scripts like the following do not exit on error. set -e for i in `sort a_non_existent_file` do echo Hello $i done echo "return code is " $? " -> Should not display this." 11. When posix shell encounters an invalid multibyte sequence in the input, it silently exits without notifying the user. PHCO_13363: Whenever shell waits in read for the user input, then the characters entered by user overwrites the string terminated with "\c" that was echoed before read. Defect Description: PHCO_31160: 1. In sh-posix shell, "set -A" is used to unset the current variable and assign array elements to the variable. Before assigning the new values to the array variable, shell frees the memory associated with the existing array elements (if any) and allocates the memory for the new array elements. The code for freeing the memory of the existing array elements was returning without freeing the memory of the last element in the array and hence causing the memory leak. The problem can be reproduced as follows: $cat leak.sh #!/usr/bin/sh typeset -i N=0 while [[ $N -le $1 ]];do set -A arr 1 2 (( N = N + 1 )) done UNIX95=1 ps -osz,comm -p$$; echo $1; exit $ The above script will print the size of the shell. 2. Run the above script with the argument let's say 1 and 50000 and compare the size of the shell. E.g. $/usr/bin/sh leak.sh 1 SZ COMMAND 85 sh.org 1 $/usr/bin/sh leak.sh 50000 SZ COMMAND 581 sh.org 50000 $ The 50000 iterations caused the shell to grow by 496*4096 bytes. The expected output is "the size of the shell should be same irrespective of the no. of times we are executing the same array assignment statement using "set -A". Resolution: Now the code for freeing the memory of the existing array elements is corrected such that it frees even the memory of the last array element. 2. Using $(..) or `..` with data length of 1022 characters in sh-posix script can cause part of the data to be lost. The problem can be reproduced as follows : $ /usr/bin/sh $ word_1022=`perl -e 'print "A" x 1022'` $ word="Have a nice day!" $ list_com=$(echo "${word_1022}") $ list_com=$(echo "${list_com}\n${word}") $ echo "$list_com" AAAAAAAA...AAAAA The exepected output should be AAAAAAAA...AAAAA Have a nice day! Resolution: sh-posix shell has been modified to take care of the above scenario. 3. Type defined and unitialized variables are imported by the shell through A__z variable. While creating the environment for the programs to be executed by this shell, NULL was getting inserted for these variables resulting in truncation of the environment in the new processes invoked. Following are the steps to reproduce the problem: 1. Invoke posix shell $ /usr/bin/sh 2.Typeset a new variable and export without initializing. $ typeset -i VARIABLE1 $ export VARIABLE1 3. Run env command and check the number of elements in the environment of env program. $ /usr/bin/env | wc -l 27 4. Invoke a new shell. $ /usr/sbin/sh 5. Run env command and check the number of elements in the environment of env program. $ /usr/bin/env | wc -l 17 Resolution: Now the code is modified to ensure that shell do not insert NULL in the environment for type defined, unitialized and imported variables. Instead it continues sending these variables to the child processes through A__z variable. 4. sh-posix shell verifies whether the command-line arguments contain any illegal multibyte characters and prints an error message & exit if it contains any illegal multibyte characters. While printing the error message, it is accessing a buffer for I/O which was not allocated and initialised. Hence it dumps core. The problem can be reproduced as follows: $ s=$( echo '\0364\060') LANG=ja_JP.SJIS ./sh -c $s Bus error(coredump) Resolution: The buffer for I/O is allocated and initialised before the shell tries to print the error message "invalid multibyte character" incase of having any illegal multibyte characters in the commandline. 5. Consecutive SIGWINCH within a short span can cause the shell to abort abruptly. The problem was due to the handler for SIGWINCH not checking the failure condition of a variable search. Failure of search resulted in shell accessing a null address causing BUS error. The problem cannot be reproduced at will. Resolution: The problem is resolved by ensuring that the variable search does not fail and also checking the return status of the search. PHCO_29768: 1. If SIGSTOP signal were to be delivered to a process, which was invoked from a script, the shell interpreting the script continues to process other commands without waiting for the stopped process. The problem can be reproduced as below $ cat ./script echo before sleep >/tmp/123 sleep 1000; echo after sleep >> /tmp/123 $ /usr/bin/sh ./script& $ ps |grep sleep |grep -v grep 11791 pts/1 0:00 sleep $ kill -STOP 11791 $ cat /tmp/123 before sleep after sleep $ Since the stopped process(11791) is not complete, the output file should not have contained "after sleep". Shell should continue with processing of other commands in the script only after waiting for completion of the stopped process. Resolution: Now shell waits for the completion of the stopped process if neither monitor nor interactive flags are set. 2. When a stopped process was sent a SIGNULL using the kill built-in, the stopped process was continuing. The problem can be reproduced as follows : $ stty susp $ sleep 50 $ jobs -l [1] + 28106 Stopped sleep 100 $ kill -s 0 28106 $ jobs -l [1] + 28106 Running sleep 100 $ SIGNULL should just check for access to a pid and not continue a stopped process. If a stopped process was delivered any signal other than stop signals, shell first sends a CONT signal followed by the respective signal. This resulted in a process continuing even for SIGNULL signal. Resolution: When a process is signalled a SIGNULL through kill built-in, shell will send only SIGNULL even if the process was a stopped process. 3. A shell script reading data from a coprocess might hang. The problem can be reproduced using $ cat script echo "hello" >/tmp/hello while : do date icount=1; grep hello /tmp/hello |& while read -p xyz do ((icount=icount + 1)) done done $ /usr/bin/sh ./script Mon Feb 23 12:19:17 IST 2004 Mon Feb 23 12:19:17 IST 2004 Mon Feb 23 12:19:17 IST 2004 ... This script might hang after random number of iterations. Under some circumstances, shell assumes that there is still some output of coprocess to be read even when coprocess has exited. Hence shell blocks reading trying to read from the coprocess. Resolution: Now, on the exit of a coprocess, shell updates itself so that shell does not perform a blocking read. 4. Shell should recognize numbers starting with 0 and 0x as octal and hexa-decimal respectively only if UNIX95 variable is defined. The problem can be reproduced as follows $ echo $UNIX95 $ typeset -i x $ let "x = 010" $ echo $x 8#10 Shell, being POSIX standards conformant, was ISOC standards compliant by default. Hence let "..", $((..)), ((..)) processes numbers starting with 0 and 0x as octal and hexa-decimal respectively. Resolution: In order to maintain compatibility with already existing scripts, shell follows ISOC standards for arithmetic operations in let "..", $((..)), ((..)), only when UNIX95 environment variable is defined. It is expected that standards compliant programs/scripts will define UNIX95 environmental variable. 5. In interactive shells, job control facility does not work for sequential lists. The problem can be reproduced as below. $ stty susp $ sleep 100; sleep 100 Monitor option is enabled in interactive shells by default. But when executing sequential lists, shell was temporarily resetting monitor option. This makes shell to ignore the suspend character. This problem is present in while, until, for, select constructs also. Resolution: Now shell does not set/reset the current value of the monitor option when executing sequential lists. 6. Shell might overwrite existing files even when noclobber option is set. The noclobber option of shell prevents truncating existing files. There was a small time gap between checking of existence of file and creation of the file. Hence if a file was created in this time gap, shell would overwrite the file even when noclobber option was set. Resolution: If noclobber option is set, shell now creates regular files in exclusive mode. Hence existing files, if any, will not be overwritten or truncated. PHCO_28831: 1. In a shell script, if 'return' is immediately followed by '&', and the script is sourced, all commands after 'return' will be executed twice. This problem can be reproduced using executable scripts: $ cat script1.sh #!/bin/sh . ./script2.sh $ cat script2.sh #!/bin/sh function b { return & } b echo hi $ ./script1.sh hi hi In the above output 'hi' is getting echoed twice. sh-posix(1) will fork a child for all the subshells and background jobs. Here the the 'return' builtin is executed as a child but instead of exiting, the child continues to execute the remaining script. Resolution : Code has been modified such that 'return' in a child environment exits. 2. When using trap after a non-builtin command executed with sh-posix(1) which is invoked with -c option, trap may not work as expected. The problem can be reproduced using the following command : $ /usr/bin/sh -c "trap 'echo hi' 0;uname -a;trap" HP-UX hostname B.11.00 U 9000/785 1234567890 \ unlimited-user license $ Note the trap settings are not displayed after 'uname -a'.sh-posix(1) uses flags and arrays to store the trap commands to be executed. When invoked with -c option, these trap flags were getting reset after calling a non builtin command('uname -a' in this case). Resolution : Now trap settings are stored in a separate buffer before execution of the non-builtin command and are restored back after execution. 3. Variable expansion inside here-doc may not happen correctly. The problem can be reproduced using executable scripts as follows : $ cat scr #!/usr/bin/sh # place 2046 characters, without space or newline # in between m=`perl -e 'print "x" x 2046'` >/dev/null 2>&1 # use the contents of above variable as input in # a here-document. $ . ./scr $ cat < actual $m eof $ echo $m> expected $ ll expected actual -rw-rw-rw- 1 root sys 4099 Jul 12 10:02 actual -rw-rw-rw- 1 root sys 2047 Jul 12 10:02 expected The result shows the difference in the size of the two files. You will see the intrusion of some extra characters in the actual file. During the expansion of variable $m inside a here-document the count used to keep track of the size of the buffer was not updated while appending the trailing 'NULL' character. As a result this NULL character was getting overwritten by some other data in certain conditions. Resolution: Now the code has been modified to take care of the 'NULL' character. 4. sh-posix(1) does not handle the file-system related failures correctly. Resolution: The code has been modified to fix the defect. PHCO_27344: 1. sh-posix(1) with '-c' option, leaves temporary files when heredoc is used in functions. Problem reproduction : -------------------- The problem can be reproduced as follows. $sh -c "function f { cat << eof here doc file eof } f " $ll /var/tmp/sh[0-9]*.[0-9]* /var/tmp/sh15042.1 The shell will do a vfork() in case of "sh -c " . When a heredoc is used inside a function, a flag is set indicating the presence of here-documents. In this case, the child from vfork() will reset the flag (which is shared by by parent as well) resulting in temporary files being left out. Resolution: A new condition is added before entering the code where vfork() is called, which will check whether the required flag is set. If the flag is set, for the script/command running with sh -c option, fork() is called instead of vfork(). Hence the flag of the parent shell doesn't get corrupted and the shell will delete the temporary files properly. 2. sh-posix(1) corrupts memory in emacs mode of editing. Problem reproduction: -------------------- 1. On a sh-posix(1) interactive shell set the editor mode to emacs. $ set -o emacs 2. Create and store a data to be yanked later. $ abcdefghijklmnopqrstuvwxyz

3. Type the command as shown below. $ ls aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.... 4. Insert the last word of the previous command repeatedly as shown below. $ <.><.><.><.> <.><.><.> 5. Now yank the previously stored item. $ The yanked data will be "aaaaaaaaaaaaaaaaaaa" instead of "abcdefghijklmnopqrstuvwxyz". Repeated typing of <.> in step 4 can cause sh-posix(1) to report memory fault. The problem was due to sh-posix(1) not checking the boundary limits of the input buffer when <.> is called resulting in buffer overflow. Resolution: The proper boundary check has been introduced for <.> . 3. Memory leakage in sh-posix(1) when using $! in a loop. Problem reproduction: -------------------- Following script will reproduce the problem : $cat scr while true do /usr/bin/sleep 15 >/dev/null & PID=$! wait $PID done $./scr The memory usage can be checked using top command.The memory usage increases cumulatively. In case of $!, a flag is set indicating that the pid is referenced. If this flag is set, the shell will not delete the entry for that pid assuming that the exit value might be required later. Resolution : Now the code is modified such that, when wait for a job is done at least once, the flag for that job is reset. The shell will delete the entry for that job (for which the flag is reset) when next background process is started. 4. sh-posix(1) -n reports "specified subscript cannot be greater than 1024". Problem reproduction: -------------------- Run the following script : $cat scr FILE[10]="scr1.JAGae36355" TF="File is ${FILE[10]}" echo $TF $/usr/bin/sh -n scr The following error message will be displayed : "FILE: The specified subscript cannot be greater than 1024." The problem was due to an uninitialized variable which was checked for having a value in the range 0-1024, resulting in the error message. Resolution: The code has been modified to initialize the variable at the declaration. Also the value of the variable is checked to be within the range when '-n' option is not specified. 5. Echo, built-in command of sh-posix(1) hangs. In sh-posix(1), output of long (>1024) multibyte string can cause the shell to loop or dump core. Problem reproduction: -------------------- 1. set the LANG env variable. $ export LANG=ja_JP.SJIS 2. Create a file as shown below and verify the cksum $ cat error.33640 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXwww wwwwwwwwwwww\n\n\n\n\n\t\t\t\t $ cksum error.33640 3058171378 1046 error.33640 3. set a variable msg to contents of above file and execute posix shell $ export msg=`cat error.33640` $ sh 4. echo the variables having the multibyte characters, shell may hang or dump core here. $ echo $msg\n $ echo $msg $ msg1=`cat error.33640` $ echo $msg1\n $ echo $msg1 $ echo $msg1\c 5. print the variables having the multibyte characters, shell may hang or dump core here. $ print $msg\n $ print $msg $ msg1=`cat error.33640` $ print $msg1\n $ print $msg1 $ print $msg1\c Under certain circumstances, an array was accessed out of bounds resulting in core dump or hang. Resolution: Code has been modified to ensure that the array in question will not be accessed out of bounds. 6. sh-posix(1)(child of telnetd) loops infinitely on stdin read() with EIO. Problem reproduction: -------------------- 1. Execute /usr/bin/sh 2. change PS1 (export PS1="----> ") 3. Set vi as the editor (set -o vi) Resize the shell window 145 times without giving any other input, shell may exit here. 4. Set the terminal mode as viraw (set -o viraw) Resize the shell window 145 times without giving any other input, shell may exit here. 5. Set the terminal mode as emacs (set -o emacs) Resize the shell window 145 times without giving any other input, shell may exit here. 6. Set the terminal mode as raw (set +o emacs) Resize the shell window 145 times without giving any other input, shell may exit here. Thus sh-posix(1) will loop indefinitely (and consume CPU) if: -the last signal sent to the shell was a SIGWINCH (window resize operation) -there is a communications problem such that the shells attempt to read(2) from stdin results in an EIO error. Resolution: An additional condition has been added for read(2), so that it will continue upon reception of SIGWINCH. 7. sh-posix(1) dumps core with SIGSEGV. Problem reproduction : -------------------- $cat scr #!/usr/bin/sh typeset -i I=0 foo() { CWD=`pwd` } while [ $I -lt 40000 ] do (( I = I + 1 )) foo done $ ./scr Shell will dump core here. The problem occurs only when the pid of the process and the serial no for each temporary file created, together exceed 9 characters. The temporary file will be created in the form of /var/tmp/sh.. Since the maximum allocated space for and together is 9 characters, when a temporary file is created whose name exceeds this limit, core dump occurs. Resolution : The size of the array that holds temporary file names is increased to accomodate maximum pid and maximum serial value . 8. PATH resolution problem in sh-posix(1). Problem reproduction : -------------------- # cat /tmp/test.sh echo bad one # ll /tmp/test.sh -rw-rw-rw- 1 root sys 13 Jan 17 17:17 /tmp/test.sh Here test.sh file is NOT executable # cat /root/test.sh #!/usr/bin/ksh echo Good one # ll /root/test.sh -rwxrwxrwx 1 root sys 29 Jan 17 17:18 /root/test.sh This one HAS execute permission and is the one that is expected to run. # PATH=/usr/bin:/tmp:/root # type test.sh test.sh is /root/test.sh # test.sh Good one This is an expected behavior, first test.sh in PATH has no execute permission and is ignored. # PATH=/usr/bin:/tmp:. # test.sh bad one This is an incorrect behavior. Thus the problem occurs when : - interactive shell is posix-sh - script begins with #!/usr/bin/ksh - the PATH statement leads to the execution of ./script The problem is because of incorrect path resolution by sh-posix(1) in the above case. Resolution : Code has been modified so resolve the path appropriately. In this case it will be ./. 9. sh-posix(1) removes here-doc before RHS of pipe can read it. Problem reproduction : --------------------- $ cat ./script #!/usr/bin/sh count=0 while [ count -ne 30000 ] do VAR=`echo value << end |grep -i value end` echo $VAR count=$((count+1)) done $ ./script sh-posix may give an error message /var/tmp/sh.: cannot open. In the above shell script on command substitution involving pipe forks a child to do the command substitution, which inturn forks another child for executing the LHS of the pipe while it executes the RHS of the pipe. Before execing the RHS it deletes all the temporary files created by it. The problem occurred because of race condition RHS removed the temporary files before the LHS could open it for reading. Please refer to the WARNINGS section of the sh-posix(1) manpage for more information about here-documents. Resolution : The problem is been solved by making the shell in RHS selective in removing the temporary files so that those files that are to be used and deleted in LHS are not deleted by RHS. 10.sh-posix(1) does not remove "here-documents". The problem was due to incorrect setting of a flag used to indicate here-documents. Problem reproduction : -------------------- Run the following script : $cat scr echo $$ SHELL=/usr/bin/sh $SHELL -c " cat << EOF | wc a EOF " The temporary files created for here-document will be left over. Resolution : The code has been modified to handle the removal of temporary files created by forked child process. 11.sh-posix(1) leaves temporary files behind. The problem occurs when here-doc is created in nested functions/scripts. A flag (used to indicate heredoc) was getting reset in case of nested function/scripts, as a result of which temporary files were leftout. Problem reproduction : --------------------- Run the following script. $cat scr #!/usr/bin/sh . ./func1 func1 $cat func1 func1() { . ./func2 } $cat func2 func2() { cat<<@ #Hello @ } $ ./scr The temporary file created for here-document will be left over. Resolution : A global flag has been introduced to resolve the problem. This flag will be set in the above case making sure that the shell will cleanup the temporary files. PHCO_26789: 1. With command line editor set to "vi", shell does not position the cursor properly when user tries to recall and edit a command that is greater than the width of the current terminal. This was due to improper positioning of the cursor by the shell on receiving . How to reproduce: step 1: invoke the shell /usr/bin/sh step 2: type "set -o vi" step 3: type "ls 1234567890 1234567890 1234567890 1234567890 1234567890" till command line is greater than the current terminal. step 4: now type ka The terminal will display $ ls 1234567890 1234567890 1234567890 1234567890 1234567890 123456789_ The output does not show the last 0 - unexpected. Now if the user tries to modify the command by pressing a combination of and to move to a particular column the command appears garbled and make it difficult to modify. Resolution: Now repositioning of the cursor on is handled properly. 2. The posix shell does display prompt properly when using the history feature in vi mode and certain escape sequences are embedded into the prompt string. The problem can be reproduced as follows: step1: Set the prompt. If running dtterm/xterm, PS1=`echo "\033]0;\`hostname\`\007"`$PS1 else if running hpterm PS1="$(echo '\033&f0a0k5Dte\007st')$ " step2: Type "set -o vi" step3: Type some valid commands. step4: Try to recall some commands using k. The prompt does not get displayed on k till we press return. This problem is because of shell trying to redraw the prompt string when a command is recalled using k. If the prompt string has non-printable characters redrawing the prompt can fail. Resolution: Now redrawing the prompt with escape character embedded in it is handled. 3. Shell does an improper newline deletion during command substitution. The user on entering $ echo "hello > $(echo)world" on command prompt obtains "helloworld" instead of $ hello world In general, trailing newlines are removed from the the output of command substitution removed. So, instead of removing trailing newlines resulting from command substitution shell is removing extra newlines not introduced by command substitution. Resolution: The fix is to remove only the trailing newlines obtained from command substitution. 4. Shell does not process expression inside $((..)) as per ISOC standards. Shell should process expression inside $((..)) as per ISOC standards [ i.e., numbers starting with 0 should be recognized as octal and starting with 0x or 0X should be recognized as hexadecimal]. The problem can be reproduced as follows: a. Type the following commands on command prompt. echo $((0x10)) let "a=0x10"; echo $a ((a=0x10)) ; echo $a The shell will give an error "sh: 0x10: The specified number is not valid for this command." instead of printing 16. b. Type the following command on command prompt. echo $((010)) let "a=010"; echo $a ((a=010)) ; echo $a The shell gives output "10" instead of "8". Resolution: Expressions inside $((..)) now recognize numbers starting with 0 and 0x as octal and hexadecimals. Since commands "let" and "((...))" are extensions provided by HP's shell, this functionality has been extended to these commands also. 5. Script using eval special builtin exits for ALL errors. This defect was introduced by a fix done in order to satisfy the sh-posix(1) man page on special commands. The problem can be reproduced as follows: Run the following script. Script - eval.sh. #!/usr/bin/sh count=1 while [ "$count" -ne 5 ] do eval cd /abc # /abc does not exist!!! count=$(($count+1)) done #script ends. The shell gives ./eval.sh[7]: /abc: not found instead of ./eval.sh[7]: /abc: not found ./eval.sh[7]: /abc: not found ./eval.sh[7]: /abc: not found ./eval.sh[7]: /abc: not found Resolution: Now eval does not exit for all errors. The manpage has been corrected to indicate that only certain errors cause a script that contains them to abort. 6. Shell creates temporary files with race condition. Resolution: The fix removed this race condition. 7. Shell hangs when directory names involving symbolic links are parsed (e.g: cd -P /bin, /bin is a symbolic link to /usr/bin) and the kernel is configured with AES compliance disabled. The problem can be reproduced as follows: step1: Modify the kernel to disable AES compliance (important) as follows: $ echo 'hpux_aes_override/W 1'| adb -w /stand/vmunix /dev/kmem step2: Run the below script few times. script starts here: #/usr/bin/sh PERL_PATHS="/bin" for path_item in $PERL_PATHS do if cd $path_item 2> /dev/null; then until [ "`pwd`" = "/" ] do cd -P .. # go up the *physical* path # to look for directories. if [ $? -ne 0 ]; then break fi done fi done #script ends. The shell hangs. The root cause for this hang is buffer overflow and heap corruption as some functions won't return a null terminated string when the kernel is configured with AES compliance disabled. Resolution: The buffer overflow and heap corruption is fixed. 8. Shell script sometimes exits with the message "invalid multibyte character", even when the input data contains valid multibyte characters. The problem can be reproduced as follows. step1: Set the locale to one of the multibyte locale (eg:- ja_JP.SJIS). step2: Run the below script 3 to 4 times. script starts here: #/usr/bin/sh typeset -i i let i=10#0 while [ i -ne 1000 ]; do AAA=$(cat ./datafile) i=i+1 done exit 0 #script ends here. File datafile is valid multibyte file. The shell script exits with the message "invalid multibyte character" The root cause for this problem is - incorrect input processing. When the shell that is reading the multibyte input data is interrupted due to a signal (e.g. When a child process terminates, the parent shell is sent a SIGCHLD), the index of the input data buffer was incremented even though no data was written into the buffer, thus introducing an invalid character in the buffer. This resulted in the error message - "invalid multibyte character" being output. Resolution: The fix is not to increment the index to the input data buffer when read() is interrupted by a signal. PHCO_23873: 1. sh-posix installs a signal handler for SIGWINCH. The signal handler tries to initialize variables which are not yet allocated, which is done after the signal handler is installed. SIGWINCH is blocked after the signal handler is installed. As a result, if SIGWINCH is received during the window between handler installation and signal blocking, the signal handler causes core dump. Resolution: The fix is to block the signal SIGWINCH before the signal handler is installed and release it after the required initialisations and memory allocations. 2. When a functon, that calls a return builtin immediately after executing a command, which is not a shell builtin, is executed with -c option, shell exits abruptly. Resolution: When the following shell script is executed, sh -c " function myfunc { ls return }; myfunc echo hello " only ls(1) is executed. Shell aborts while executing return inside myfunc(). This problem was caused due to global data corruption caused by the vfork'd child. Now, required data is saved before the vfork() and restored after the child execution to resolve the problem. PHCO_22537: 1. When REPLY is typeset in a function, a new scope is created for REPLY. But, read was initializing the input to the old scope of the REPLY. As a result, when REPLY was examined in the function, it is seen to be not initialized with the input. Resolution: Now, read takes care to initialize the value to the new scope of REPLY. 2. sh-posix received a SIGBUS under the circumstances at the customer's site because a pointer in a union was accessed which was not initialized. Resolution: The fix is to test if the union was initialized as the type for which this pointer should be initialized properly, and to skip the code that tries to use it if not. 3. When eval is part of the last element of a pipe, and there is an error in the execution of eval builtin, the command buffer gets corrupted and the script which is expected to exit since eval is a special builtin, does not exit, but continues to execute. Resolution: The problem is resolved by checking for special builtins, while deciding to return to the script on error. If special builtin is being processed, then decide to exit the script. At this point, the command buffer is cleared, so that the next command is not corrupted. 4. /usr/bin/sh used to exit (thus closing term) when it encounters SIGWINCH 12 times continuously. Resolution: Now sh does not exit on receival of SIGWINCH continuously for 12 times. 5. In vi mode, Esc k followed by "print..\c" option results in displaying the incorrect prompt string, and also incorrect positioning of the cursor. This is due to the use of an incorrect buffer. Resolution: Necessary changes are made to the code by using a flag, to prevent the corruption of the prompt string. PHCO_20816: 1. The sh-posix dumps core during startup, if SIGWINCH is sent before the initialization of the environment. Resolution: Now SIGWINCH is held (sighold) from being processed until the complete initialization of the environment is done by sh-posix. Once the initilization process is completed, SIGWINCH is released (sigrelse). 2. sh uses /tmp for creating temporary files for heredocs and sh doesnot find enough space in /tmp to store "here" document of large shar files. Resolution: Now sh is made to store heredocs in /var/tmp ( which is a much larger slice than /tmp ) if it exists, else it creates temporary files in /tmp slice. 3. sh-posix was giving an incorrect error message when a process group was killed. sh-posix was displaying the same error message both when a process or a process group was killed. Resolution: Now check is made before error message is thrown out, to differentiate between process and process group. 4. When the history file size is more than 4K and the file is older than 10 minutes, there is some unwanted recursion between the function which opens the history file and the function which trims the history file. Resolution: The resolution involves avoiding this unwanted recursion by using a global flag. 5. When the command size in .sh_history file is greater than 5KB, sh-posix dumps core. This problem is due to an array buffer overflow. Resolution: Now this array allocation has been changed to dynamic allocation & this fixes the problem. PHCO_19054: 1. The previous patch for 11.00 posix shell, PHCO_18447, saved previous install data in an undocumented directory. It should save the data in the standard directory. Resolution: The patch scripts have been modified to save the previous install data in the correct directory. 2. If SIGHUP is trapped and a SIGHUP signal received, sh-posix(1) exits after executing the trap. It should continue to run instead. Resolution: sh-posix(1) was deliberately exiting after executing the trap for SIGHUP. This part of the code has now been eliminated, so that it continues to execute. 3. File name generation in sh-posix(1) fails for large files. When ls and ll commands are used with wildcards from root directory to list large files (greater than 2 GB) residing in subdirectories, sh-posix(1) fails to find the files. Resolution: sh-posix(1) uses the regular system calls like lstat() to find files during wild card expansion. In order that this works correctly for large files, the corresponding large file interface like lstat64() needs to be used. 4. In posix shell, for multibyte locales, the combination of builtin commands echo and read do not maintain the correct cursor location. The shell looses the contents of the line when a backspace is used. Resolution: This problem is fixed now by making the shell remember the contents of the line and display it whenever the line is redrawn. As a result, when a backspace is entered, the contents of the input line are displayed correctly. PHCO_18447: 1. After cold-installation of a 11.00 patch bundle, swverify gives out errors regarding mismatch in size and time of file /sbin/sh. Posix shell patch PHCO_17321 which is one of the patches in the bundle, installs /sbin/sh. The OS-Core.UX-CORE configure script which runs after the system reboots, overwrites /sbin/sh with the shell in /usr/newconfig/sbin/sh. As a result, swverify gives out errors regarding size and mtime of /sbin/sh. Resolution: The posix shell patch now installs the shell in /usr/newconfig/sbin/sh and conditionally copies it to /sbin/sh only in case of non-OS upgradations. In case of OS upgradations, the OS-Core.UX-CORE configure script copies /usr/newconfig/sbin/sh to /sbin/sh. 2. Filename pattern match and case pattern match fail in posix shell. Posix shell does not follow the collating order during filename pattern match and case pattern match. It incorrectly follows the values defined by the respective code set, for the characters in the patterns. Resolution: The posix shell is now made to use collating order for the locales instead of the values defined by the codeset while parsing filename patterns and case patterns. 3. Posix shell dumps core while executing scripts having large number of heredocs. Resolution: Posix shell was accessing beyond the limits of an I/O structure which stored information about open files. This has been set right now. PHCO_17321: 1. Posix shell aborts on receipt of SIGWINCH while executing functions, if the signal is not trapped by the script. 2. Posix shell dumps core at times when executing non-interpreter scripts, i.e. scripts without a #! line in the beginning, through "sh -c". 3. Posix shell allows only once to source a file that has a name identical to the name of a function contained in the file. Any subsequent attempt to source the same file nothing happens. Here is an example. $ more les echo executing from les file function les { echo les } $ . les /* works fine first time */ executing from les file $ . les /* doesn't work second time */ 4. Behavior of posix shell has changed in 11.00 from the 10.10 posix shell with respect to command substitution in while list. The following script behaves differently on a 10.10 and 11.00 HP-UX. #!/usr/bin/sh while `read line` do echo $line done < /etc/copyright On a 10.10 machine, the above script displays the contents of file /etc/copyright. On 11.00 the script displays the first line in the file and exits with error message - "./scr[2]: c)Copyright: not found." 5. Posix shell may go into an infinite loop if it receives a signal when it is not in idle state. 6. Posix shell does not handle command substitution involving variables of length 2047, 3071, etc. correctly. In the following command, where variable 'stuff' is assigned a string of length 2047, the contents of resulting string 'str' will be the last 1023 bytes of 'stuff'. str=`echo $stuff` 7. Posix shell displays wrong value for ulimit -Sc. 'ulimit -Sc' command shows corefile size as 4290772993. The sh-posix man page says that this is the number of 512-byte blocks in the size of core dumps. But getrlimit() shows the corefile size - 2147483646. 4290772993 * 512 = 2196875772420 differs from 2147483646... Moreover, it doesn't accept this number as input: $ ulimit -Sc 4290772993 sh: ulimit: The specified number is not valid for this command. This limitation is 4194303. 9. posix shell looses values of variables initialized as a prefix to invoking a script in a subshell. The following commands do not work as expected. /usr/bin/sh -c "TERM=450 ./script" and /usr/bin/sh "TERM=450 ./script" script: echo $TERM The output from the two commands should be 450, but it actually is the value of TERM variable that was before executing the command (Eg. xterm). 9. Posix shell does not reliably process SIGCLD when waiting for input in vi/emacs mode. For eg. It ignores the SIGCLDs received when a background job terminates, while waiting for input in vi/emacs mode. As a result, the zombies are seen in the process list till an is input on the terminal that started the job. 10. If set -e is ON, sh-posix should exit on encountering errors during processing the word list in a for/case statements. Also, when the last command in a pipe list fails it should exit if set -e is on. Currently it is not happening. Scripts like the following should exit on error. set -e for i in `sort a_non_existent_file` do echo Hello $i done echo "return code is " $? " -> Should not display this." 11. When the input to posix shell has invalid multibyte sequence, it exits without notifying the user. PHCO_13363: Invalid echo back on read when LANG is set to ja_JP.SJIS. Enhancement: No (superseded patches contained enhancements) PHCO_26789: Shell now recognizes octal and hexa numbers inside arithmetic expression. SR: 8606350816 8606352475 8606361136 8606352482 8606356645 8606340904 8606335497 8606333808 8606329129 8606306267 8606303906 8606298128 8606291857 8606287774 8606285956 8606277532 8606276501 8606274899 8606272215 8606269405 8606265151 8606261003 8606234492 8606234035 8606229085 8606226614 8606211270 8606204395 8606204298 8606199752 8606198269 8606198219 8606187645 8606187216 8606183159 8606179356 8606165046 8606156760 8606156063 8606147088 8606130237 8606126833 8606113680 8606108349 8606108325 8606100826 5003464628 5003442533 5003427922 5003424754 5003404186 4701424424 4701424341 4701413922 4701403345 1653306878 1653299891 1653298927 1653288449 1653280933 1653271627 1653266940 1653264812 1653249557 1653245894 1653240390 1653239608 1653238170 1653236851 1653192930 Patch Files: OS-Core.CORE-ENG-A-MAN,fr=B.11.00,fa=HP-UX_B.11.00_32/64, v=HP: /usr/share/man/man1.Z/sh-posix.1 OS-Core.UX-CORE,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP: /usr/lib/nls/msg/C/psh.cat /usr/bin/rsh /usr/bin/sh /usr/newconfig/sbin/sh what(1) Output: OS-Core.CORE-ENG-A-MAN,fr=B.11.00,fa=HP-UX_B.11.00_32/64, v=HP: /usr/share/man/man1.Z/sh-posix.1: None OS-Core.UX-CORE,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP: /usr/lib/nls/msg/C/psh.cat: None OS-Core.UX-CORE,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP: /usr/bin/rsh: Version M-11/16/88f $Revision: 82.6.1.92 $ PATCH_11_00: builtin.o echo.o macro.o msg.o cmd.o pr int.o service.o tilde.o xec.o main.o name.o adjust.o args.o arith.o assign.o assnum.o ca nnon.o chkid.o convert.o ctype.o defs.o edit .o emacs.o error.o expand.o fault.o findnod. o gettree.o growaray.o gsort.o history.o hpu x_rel.o io.o jobs.o linknod.o namscan.o optg et.o rjust.o stak.o strdata.o streval.o stri ng.o strmatch.o test.o unassign.o utos.o val up.o vi.o word.o 04/07/06 OS-Core.UX-CORE,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP: /usr/bin/sh: Version M-11/16/88f $Revision: 82.6.1.92 $ PATCH_11_00: builtin.o echo.o macro.o msg.o cmd.o pr int.o service.o tilde.o xec.o main.o name.o adjust.o args.o arith.o assign.o assnum.o ca nnon.o chkid.o convert.o ctype.o defs.o edit .o emacs.o error.o expand.o fault.o findnod. o gettree.o growaray.o gsort.o history.o hpu x_rel.o io.o jobs.o linknod.o namscan.o optg et.o rjust.o stak.o strdata.o streval.o stri ng.o strmatch.o test.o unassign.o utos.o val up.o vi.o word.o 04/07/06 OS-Core.UX-CORE,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP: /usr/newconfig/sbin/sh: Version M-11/16/88f $Revision: 82.6.1.92 $ $ PATCH/11.00:PHCO_19491 Aug 9 1999 09:51:13 $ PATCH_11_00: builtin.o echo.o macro.o msg.o cmd.o pr int.o service.o tilde.o xec.o main_C.o name_ C.o adjust.o args.o arith.o assign.o assnum. o cannon.o chkid.o convert.o ctype.o defs.o edit.o emacs.o error.o expand.o fault.o find nod.o gettree.o growaray.o gsort.o history.o hpux_rel.o io.o jobs.o linknod.o namscan.o optget.o rjust.o stak.o strdata.o streval.o string.o strmatch.o test.o unassign.o utos.o valup.o vi.o word.o 04/07/06 cksum(1) Output: OS-Core.CORE-ENG-A-MAN,fr=B.11.00,fa=HP-UX_B.11.00_32/64, v=HP: 1505028874 45197 /usr/share/man/man1.Z/sh-posix.1 OS-Core.UX-CORE,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP: 220756868 5976 /usr/lib/nls/msg/C/psh.cat OS-Core.UX-CORE,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP: 400272257 221184 /usr/bin/rsh OS-Core.UX-CORE,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP: 400272257 221184 /usr/bin/sh OS-Core.UX-CORE,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP: 3796721014 425984 /usr/newconfig/sbin/sh Patch Conflicts: None Patch Dependencies: s700: 11.00: PHCO_28316 s800: 11.00: PHCO_28316 Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_13363 PHCO_17321 PHCO_18447 PHCO_19054 PHCO_20816 PHCO_22537 PHCO_23873 PHCO_26789 PHCO_27344 PHCO_28831 PHCO_29768 Equivalent Patches: None Patch Package Size: 480 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_31160 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHCO_31160.depot By default swinstall will archive the original software in /var/adm/sw/save/PHCO_31160. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHCO_31160.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHCO_31160.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_31160.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None