openjdk team mailing list archive

Thread
Date

[Bug 419018] Re: buffer overflow in debugger's socket handler

To: openjdk@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <419018@xxxxxxxxxxxxxxxxxx>
Date: Fri, 28 Aug 2009 17:15:07 -0000
Reply-to: Bug 419018 <419018@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package openjdk-6 - 6b16-1.6~pre2-0ubuntu1

---------------
openjdk-6 (6b16-1.6~pre2-0ubuntu1) karmic; urgency=low

  * Update IcedTea from the 1.6 release branch:
    - Fix buffer overflow in debugger's socket handler (Kees Cook).
      https://bugs.openjdk.java.net/show_bug.cgi?id=100103. LP: #409736.
    - plugin fixes.
  * Move the pulseaudio recommendation to a suggestion, don't build-depend
    on pulseaudio.
  * Build for armv6 (on armel).

  [ Kees Cook ]
  * debian/rules: Re-enable fortification and stack protector
    (LP: #330713).
  * Adding stack markings to the x86 assembly for not using executable
    stack. LP: #419018.

 -- Matthias Klose <doko@xxxxxxxxxx>   Fri, 28 Aug 2009 18:51:34 +0200

** Changed in: openjdk-6 (Ubuntu)
       Status: New => Fix Released

-- 
buffer overflow in debugger's socket handler
https://bugs.launchpad.net/bugs/419018
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in ubuntu.

Status in OpenJDK: Unknown
Status in “openjdk-6” package in Ubuntu: Fix Released

Bug description:
When compiled with fortification:
$ /usr/lib/jvm/java-6-openjdk/jre/bin/java -agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=50701 Exit0 &
[1] 8785
Listening for transport dt_socket at address: 50701
$ echo -n "Here's a poke in the eye" | nc -v localhost 50701
*** buffer overflow detected ***: /usr/lib/jvm/java-6-openjdk/jre/bin/java terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x40)[0xf7ed7a90]
/lib/libc.so.6[0xf7ed6aa0]
/lib/libc.so.6[0xf7ed5dca]
/usr/lib/jvm/java-6-openjdk/jre/lib/i386/libdt_socket.so[0xf7134eb7]
/usr/lib/jvm/java-6-openjdk/jre/lib/i386/libdt_socket.so[0xf7135066]
/usr/lib/jvm/java-6-openjdk/jre/lib/i386/libjdwp.so[0xf7166357]
...

This is due to openjdk/jdk/src/share/transport/socket/socketTransport.c containing too small a buffer to report the error:
Debugger failed to attach: handshake failed - received >Here's a poke < - excepted >JDWP-Handshake<

64 vs 73 bytes.

Found while investigating test regression in bug 330713.

ProblemType: Bug
Architecture: amd64
Date: Tue Aug 25 21:23:34 2009
DistroRelease: Ubuntu 9.10
Package: openjdk-6-jdk 6b16-1.6~pre1-0ubuntu1
ProcEnviron:
 LANGUAGE=en_US.UTF-8
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-6.25-generic
SourcePackage: openjdk-6
Uname: Linux 2.6.31-6-generic x86_64

References

[Bug 419018] [NEW] buffer overflow in debugger's socket handler
From: Kees Cook, 2009-08-26