Bug 1123907 - Segfault using "shar" command [NEEDINFO]
Summary: Segfault using "shar" command
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sharutils
Version: 5.10
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Petr Pisar
QA Contact: Leos Pol
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-28 15:30 UTC by jstephen
Modified: 2018-12-06 17:30 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-06-12 08:08:36 UTC
jorton: needinfo? (jstephen)

Attachments (Terms of Use)
core file (536.00 KB, application/octet-stream)
2014-07-28 15:30 UTC, jstephen
no flags Details
Reproducer (118 bytes, text/plain)
2014-07-29 11:24 UTC, Petr Pisar
no flags Details
Fix ported from 4.7 (1.21 KB, patch)
2014-07-29 11:31 UTC, Petr Pisar
no flags Details | Diff

Description jstephen 2014-07-28 15:30:10 UTC
Created attachment 921794 [details]
core file

Description of problem:
shar crashes when using '-l' argument

Version-Release number of selected component (if applicable):

How reproducible:
100% of the time

Steps to Reproduce:
1.  shar -l786432 -o /apps2/SOA.sh /apps/opt/weblogic/weblogic103mp6/Oracle_SOA1 oracle_common oraInventory

Actual results:
this fails with Memory fault when we use -I option, core file attached

Expected results:
No crash

Additional info:

 shar  -o /apps2/SOA.sh /apps/opt/weblogic/weblogic103mp6/Oracle_SOA1 oracle_common oraInventory  ---This command works fine.

 shar -l786432 -o /apps2/SOA.sh /apps/opt/weblogic/weblogic103mp6/Oracle_SOA1 oracle_common oraInventory --- this fails with Memory fault when we use -I option

The memory fault occurs with the -l option when it begins creating the 2nd output file.  We have tried with values up to 3900000 and received the same memory fault, but 4000000 worked fine (and created a file 3951525k).  In other words, whenever it needs to create the 2nd file, it encounters the memory fault, but if it only needs 1 file to contain all of the output, it works fine. The total size of all input files combined is just under 4gb.  The -l option fails when creating the 2nd file, even if the -l value is only 1k less than the total size


Core was generated by `shar -l786432 -o /apps2/SOA.sh /apps/opt/weblogic/weblogic103mp6/Oracle_SOA1 or'.
Program terminated with signal 11, Segmentation fault.
#0  0x0000003000478480 in strlen () from /lib64/libc.so.6
(gdb) bt
#0  0x0000003000478480 in strlen () from /lib64/libc.so.6
#1  0x0000003000446aae in _IO_vfprintf_internal (s=0x58d80f0, format=<value optimized out>, ap=0x7fff197ecdb0) at vfprintf.c:1590
#2  0x00000030004e680b in ___fprintf_chk (fp=0x6d2a, flag=1, format=0x0) at fprintf_chk.c:37
#3  0x000000000040296f in change_files (restore_name=<value optimized out>, remaining_size=<value optimized out>) at shar.c:1028
#4  0x00000000004041eb in shar (local_name=0x5908590 "/apps/opt/weblogic/weblogic103mp6/Oracle_SOA1/bam/modules/oracle.bam_11.1.1/oracle-bam-common.jar", 
    restore_name=0x59091a0 "/apps/opt/weblogic/weblogic103mp6/Oracle_SOA1/bam/modules/oracle.bam_11.1.1/oracle-bam-common.jar") at shar.c:1082
#5  0x0000000000402556 in walkdown (routine=0x403cd0 <shar>, local_name=0x5909c70 "/apps/opt/weblogic/weblogic103mp6/Oracle_SOA1/bam/modules/oracle.bam_11.1.1", restore_name=<value optimized out>) at shar.c:482
#6  0x0000000000402556 in walkdown (routine=0x403cd0 <shar>, local_name=0x59082b0 "/apps/opt/weblogic/weblogic103mp6/Oracle_SOA1/bam/modules", restore_name=<value optimized out>) at shar.c:482
#7  0x0000000000402556 in walkdown (routine=0x403cd0 <shar>, local_name=0x58d95f0 "/apps/opt/weblogic/weblogic103mp6/Oracle_SOA1/bam", restore_name=<value optimized out>) at shar.c:482
#8  0x0000000000402556 in walkdown (routine=0x403cd0 <shar>, local_name=0x7fff197f3120 "/apps/opt/weblogic/weblogic103mp6/Oracle_SOA1", restore_name=<value optimized out>) at shar.c:482
#9  0x00000000004026e5 in walktree (routine=0x403cd0 <shar>, local_name=0x7fff197f4b7e "/apps/opt/weblogic/weblogic103mp6/Oracle_SOA1") at shar.c:562
#10 0x00000000004036df in main (argc=7, argv=0x7fff197f3458) at shar.c:2305

Comment 1 RHEL Product and Program Management 2014-07-28 15:57:59 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.

Comment 2 Petr Pisar 2014-07-29 07:55:50 UTC
There seems to be a bogus number of arguments passed to fprintf() in src/shar.c:change_files():

    static const char part_z[] =
      "part %02d of %s ";
    char *nm = archive_name ? archive_name : "a multipart";
    char *pz = xmalloc (sizeof(part_z) + strlen(nm) + 16);
    sprintf (pz, part_z, part_number, nm);
→   fprintf (output, file_leader_z, pz, "", sharpid);
    free (pz);

where file_leader_z is a constant formatting string defined as:

static const char file_leader_z[218] =
#line 89 "scripts.def"
# This is %s%s archive (produced by GNU %s %s).\n\
# To extract the files from this archive, save it to some FILE, remove\n\
# everything before the `#!/bin/sh' line above, then type `sh FILE'.\n\

This looks like the file_leader_z was augmented with the third and fourth %s but this usage (shar.c:1028) was not updated as the other usage somewhere else (shar.c:892) is correct:

$ vi scripts.x 
petr@dhcp-0-146:~/rhel/sharutils/sharutils-4.6.1/src $ grep -Hnr file_leader_z
shar.c:892:    fprintf (output, file_leader_z, pz, ch, PACKAGE, VERSION, sharpid);
shar.c:1028:    fprintf (output, file_leader_z, pz, "", sharpid);

Comment 3 Petr Pisar 2014-07-29 11:24:03 UTC
Created attachment 922113 [details]

Comment 4 Petr Pisar 2014-07-29 11:31:32 UTC
Created attachment 922115 [details]
Fix ported from 4.7

Comment 5 Petr Pisar 2014-07-29 11:36:20 UTC
RHEL 6 and 7 are not affected.

Note You need to log in before you can comment on or make changes to this bug.