tar 1.29 hangs, when run with strace, it exits with "illegal instruction"

tar 1.29 hangs, when run with strace, it exits with "illegal instruction"

[Keith Christian]

[-- Attachment #1: Type: text/plain, Size: 380 bytes --]

I am able to run "tar ft somefile.tar" successfully on a Linux
machine, same tar version (1.29.)

This version hangs up the terminal, does not respond to Ctrl-C or
Ctrl-Z, and terminates with an illegal instruction to the screen, not
reflected in the strace output.

File cygwin_tar_1_29_illegal_instruction.txt is attached with strace
output, version, and "cygcheck tar" output.

[-- Attachment #2: cygwin_tar_1_29_illegal_instruction.txt --]
[-- Type: text/plain, Size: 6965 bytes --]


Wed, Aug 07, 2019 12:15:25 PM

I am able to run "tar ft somefile.tar" successfully on a Linux machine, same tar version (1.29.)

This version hangs up the terminal, does not respond to Ctrl-C or Ctrl-Z, and terminates with an illegal instruction to the screen, not reflected in the strace output.

Invocation:

-------------------------------------------
strace -o tartrace01 tar ft sometarfile.tar
-------------------------------------------


--- Process 77604 created
--- Process 77604 loaded C:\Windows\SysWOW64\ntdll.dll at 77040000
--- Process 77604 unloaded DLL at 76d60000
--- Process 77604 unloaded DLL at 747b0000
--- Process 77604 unloaded DLL at 76d60000
--- Process 77604 unloaded DLL at 76c60000
--- Process 77604 loaded C:\Windows\SysWOW64\kernel32.dll at 747b0000
--- Process 77604 loaded C:\Windows\SysWOW64\KernelBase.dll at 748c0000
--- Process 77604 loaded C:\Windows\SysWOW64\sysfer.dll at 740d0000
--- Process 77604 loaded C:\Windows\SysWOW64\advapi32.dll at 76aa0000
--- Process 77604 loaded C:\Windows\SysWOW64\msvcrt.dll at 75630000
--- Process 77604 loaded C:\Windows\SysWOW64\sechost.dll at 74750000
--- Process 77604 loaded C:\Windows\SysWOW64\rpcrt4.dll at 74a80000
--- Process 77604 loaded C:\Windows\SysWOW64\sspicli.dll at 746f0000
--- Process 77604 loaded C:\Windows\SysWOW64\cryptbase.dll at 746e0000
--- Process 77604 loaded C:\cygwin\bin\cygwin1.dll at 61000000
--- Process 77604 loaded C:\cygwin\bin\cygiconv-2.dll at 2b5e0000
--- Process 77604 loaded C:\cygwin\bin\cygintl-8.dll at 1e120000
--- Process 77604 loaded C:\cygwin\bin\cyggcc_s-1.dll at 6ea20000
--- Process 77604 loaded C:\Windows\SysWOW64\apphelp.dll at 73f10000
--- Process 77604 loaded C:\Windows\AppPatch\AcLayers.dll at 742b0000
--- Process 77604 loaded C:\Windows\SysWOW64\user32.dll at 75380000
--- Process 77604 loaded C:\Windows\SysWOW64\gdi32.dll at 752f0000
--- Process 77604 loaded C:\Windows\SysWOW64\lpk.dll at 756e0000
--- Process 77604 loaded C:\Windows\SysWOW64\usp10.dll at 769f0000
--- Process 77604 loaded C:\Windows\SysWOW64\shell32.dll at 758b0000
--- Process 77604 loaded C:\Windows\SysWOW64\shlwapi.dll at 76b90000
--- Process 77604 loaded C:\Windows\SysWOW64\ole32.dll at 754c0000
--- Process 77604 loaded C:\Windows\SysWOW64\oleaut32.dll at 75810000
--- Process 77604 loaded C:\Windows\SysWOW64\userenv.dll at 76500000
--- Process 77604 loaded C:\Windows\SysWOW64\profapi.dll at 76590000
--- Process 77604 loaded C:\Windows\SysWOW64\winspool.drv at 69560000
--- Process 77604 loaded C:\Windows\SysWOW64\mpr.dll at 73ee0000
--- Process 77604 loaded C:\Windows\SysWOW64\psapi.dll at 76c50000
    2       2 [main] tar (77604) **********************************************
  126     128 [main] tar (77604) Program name: C:\cygwin\bin\tar.exe (windows pid 77604)
   52     180 [main] tar (77604) OS version:   Windows NT-6.1
   48     228 [main] tar (77604) **********************************************
--- Process 77604 loaded C:\Windows\SysWOW64\advapi32.dll at 00350000
--- Process 77604 unloaded DLL at 00350000
--- Process 77604 loaded C:\Windows\SysWOW64\advapi32.dll at 00350000
--- Process 77604 unloaded DLL at 00350000
 1327    1555 [main] tar (77604) sigprocmask: 0 = sigprocmask (0, 0x0, 0x6129778C)
  476    2031 [main] tar (77604) open_shared: name shared.5, n 5, shared 0x60FF0000 (wanted 0x60FF0000), h 0xCC, *m 6
   66    2097 [main] tar (77604) user_heap_info::init: heap base 0x80000000, heap top 0x80000000, heap size 0x18000000 (402653184)
   67    2164 [main] tar (77604) open_shared: name S-1-5-21-2052111302-448539723-1801674531-969217.1, n 1, shared 0x60FE0000 (wanted 0x60FE0000), h 0xC8, *m 6
   44    2208 [main] tar (77604) user_info::create: opening user shared for 'S-1-5-21-2052111302-448539723-1801674531-969217' at 0x60FE0000
   27    2235 [main] tar (77604) user_info::create: user shared version AB1FCCE8
   51    2286 [main] tar (77604) fhandler_pipe::create: name \\.\pipe\cygwin-c5e39b7a9d22bafb-77604-sigwait, size 5412, mode PIPE_TYPE_MESSAGE
   49    2335 [main] tar (77604) fhandler_pipe::create: pipe read handle 0xE0
   22    2357 [main] tar (77604) fhandler_pipe::create: CreateFile: name \\.\pipe\cygwin-c5e39b7a9d22bafb-77604-sigwait
   44    2401 [main] tar (77604) fhandler_pipe::create: pipe write handle 0xE4
   27    2428 [main] tar (77604) dll_crt0_0: finished dll_crt0_0 initialization
--- Process 77604 loaded C:\Windows\SysWOW64\imm32.dll at 76520000
--- Process 77604 unloaded DLL at 76520000
--- Process 77604 loaded C:\Windows\SysWOW64\imm32.dll at 76520000
--- Process 77604 loaded C:\Windows\SysWOW64\msctf.dll at 767e0000
--- Process 77604 unloaded DLL at 767e0000
--- Process 77604 loaded C:\Windows\SysWOW64\msctf.dll at 767e0000
--- Process 77604, exception c000001d at 7411eca6
--- Process 77604 exited with status 0xc000001d




--------------------
tar --version output
--------------------
tar (GNU tar) 1.29
Packaged by Cygwin (1.29-1)
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by John Gilmore and Jay Fenlason.




-------------------
cygcheck tar output
-------------------
Found: C:\cygwin\bin\tar.exe
Found: C:\cygwin\bin\tar.exe
C:\cygwin\bin\tar.exe
  C:\cygwin\bin\cygwin1.dll
    C:\windows\system32\KERNEL32.dll
      C:\windows\system32\API-MS-Win-Core-RtlSupport-L1-1-0.dll
      C:\windows\system32\ntdll.dll
      C:\windows\system32\KERNELBASE.dll
      C:\windows\system32\API-MS-Win-Core-ProcessThreads-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-Heap-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-Memory-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-Handle-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-Synch-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-File-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-IO-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-ThreadPool-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-LibraryLoader-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-NamedPipe-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-Misc-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-SysInfo-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-Localization-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-String-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-Debug-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-ErrorHandling-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-Fibers-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-Util-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Core-Profile-L1-1-0.dll
      C:\windows\system32\API-MS-Win-Security-Base-L1-1-0.dll
  C:\cygwin\bin\cygiconv-2.dll
  C:\cygwin\bin\cygintl-8.dll
  C:\cygwin\bin\cyggcc_s-1.dll


[-- Attachment #3: Type: text/plain, Size: 219 bytes --]


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: tar 1.29 hangs, when run with strace, it exits with "illegal instruction"

[Brian Inglis]

On 2019-08-07 12:20, Keith Christian wrote:
> I am able to run "tar ft somefile.tar" successfully on a Linux
> machine, same tar version (1.29.)
> 
> This version hangs up the terminal, does not respond to Ctrl-C or
> Ctrl-Z, and terminates with an illegal instruction to the screen, not
> reflected in the strace output.
> 
> File cygwin_tar_1_29_illegal_instruction.txt is attached with strace
> output, version, and "cygcheck tar" output.

Works just fine for me:

$ tar ft Downloads/nam.dist.tar
README
demo/
...

You may have some http://www.cygwin.com/acronyms/#BLODA interfering like an AV.
  The strace shows tar fails in sysfer.dll, which is part of Symantec Endpoint
Protection CMC Firewall Application and Device Control, badly written from the
number of complaints about it, and as usual with these control and monitoring
products, they greatly slow down systems and interfere with work.
Deinstall SEP or bypass your cygwin directories.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: tar 1.29 hangs, when run with strace, it exits with "illegal instruction"

[Keith Christian]

Thanks for responding, Brian.

Cygwin is on a corporate machine so disabling anything will not be
easy or allowed.  Can you explain "bypass cygwin directories?"

Cygwin's tar worked recently so must be an "enhancement" in the
security software or some change in tar that is frowned upon.  I see
no evidence of Symantec Endpoint software, must be different AV
software.

On Wed, Aug 7, 2019 at 9:33 PM Brian Inglis
<Brian.Inglis@systematicsw.ab.ca> wrote:
>
> On 2019-08-07 12:20, Keith Christian wrote:
> > I am able to run "tar ft somefile.tar" successfully on a Linux
> > machine, same tar version (1.29.)
> >
> > This version hangs up the terminal, does not respond to Ctrl-C or
> > Ctrl-Z, and terminates with an illegal instruction to the screen, not
> > reflected in the strace output.
> >
> > File cygwin_tar_1_29_illegal_instruction.txt is attached with strace
> > output, version, and "cygcheck tar" output.
>
> Works just fine for me:
>
> $ tar ft Downloads/nam.dist.tar
> README
> demo/
> ...
>
> You may have some http://www.cygwin.com/acronyms/#BLODA interfering like an AV.
>   The strace shows tar fails in sysfer.dll, which is part of Symantec Endpoint
> Protection CMC Firewall Application and Device Control, badly written from the
> number of complaints about it, and as usual with these control and monitoring
> products, they greatly slow down systems and interfere with work.
> Deinstall SEP or bypass your cygwin directories.
>
> --
> Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
>
> This email may be disturbing to some readers as it contains
> too much technical detail. Reader discretion is advised.
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: tar 1.29 hangs, when run with strace, it exits with "illegal instruction"

[Brian Inglis]

On 2019-08-09 13:13, Keith Christian wrote:
> On Wed, Aug 7, 2019 at 9:33 PM Brian Inglis wrote:
>> On 2019-08-07 12:20, Keith Christian wrote:
>>> I am able to run "tar ft somefile.tar" successfully on a Linux
>>> machine, same tar version (1.29.)
>>>
>>> This version hangs up the terminal, does not respond to Ctrl-C or
>>> Ctrl-Z, and terminates with an illegal instruction to the screen, not
>>> reflected in the strace output.
>>>
>>> File cygwin_tar_1_29_illegal_instruction.txt is attached with strace
>>> output, version, and "cygcheck tar" output.
>>
>> Works just fine for me:
>>
>> $ tar ft Downloads/nam.dist.tar
>> README
>> demo/
>> ...
>>
>> You may have some http://www.cygwin.com/acronyms/#BLODA interfering like an AV.
>> The strace shows tar fails in sysfer.dll, which is part of Symantec Endpoint
>> Protection CMC Firewall Application and Device Control, badly written from the
>> number of complaints about it, and as usual with these control and monitoring
>> products, they greatly slow down systems and interfere with work.
>> Deinstall SEP or bypass your cygwin directories.
> Cygwin is on a corporate machine so disabling anything will not be
> easy or allowed.  Can you explain "bypass cygwin directories?"
>
> Cygwin's tar worked recently so must be an "enhancement" in the
> security software or some change in tar that is frowned upon.  I see
> no evidence of Symantec Endpoint software, must be different AV
> software.

Change the AV settings to ignore the file types or directories that cause issues.

SEP includes sysfer.dll, but you may not see much evidence of the product in a
centralized corporate control and monitoring environment, designed solely to
monitor everything and prevent any threat.

The problem is SEP sysfer.dll has a bug which executes an illegal instruction,
probably by calling a method via a bad pointer, incorrectly set up or clobbered
earlier by the AV, while interfering with tar's operation.

The difference may be in what the tar file contains.
A lot of Windows products block file types rather than file contents.

Untarring, renaming (as ...#.dat), and retarring under Linux (with the old and
new names in a manifest or a script to rename back) can often bypass dumb checks.

Some of their "advanced", "smart", or "AI" products or features attempt blocks
if certain data contents are seen or calls are made as they are considered
problematic and characteristic of malware: of course, most are false positives!

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple