← Back to team overview

openjdk team mailing list archive

[Bug 959183] [NEW] buffer overflow parsing if_inet6

 

Public bug reported:

Hi.

The contents of /proc/net/if_inet6:

fe80000000000000022590fffe1a48e5 05 40 20 80     eth3
fe80000000000000fc9b86fffe01d5d7 86 40 20 80 veth4pXXGI
fe80000000000000fc163efffe629ca3 155 40 20 80    vnet3
fe80000000000000fc163efffefc3b5f 158 40 20 80    vnet6
fe80000000000000fc163efffe49ac43 154 40 20 80    vnet2
fe80000000000000fc163efffe8fb8ba 157 40 20 80    vnet5
fe80000000000000fc163efffeaeaa2a 152 40 20 80    vnet0
fe80000000000000fc163efffe53e706 156 40 20 80    vnet4
fe80000000000000fc163efffed50b59 153 40 20 80    vnet1
fe80000000000000022590fffe1a48e6 02 40 20 80     eth0
00000000000000000000000000000001 01 80 10 80       lo

Starting my application results in:


*** buffer overflow detected ***: /home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/bin/java terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff79284f7]
/lib/x86_64-linux-gnu/libc.so.6(+0xf9410)[0x7ffff7927410]
/home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/lib/amd64/libnet.so(+0x578d)[0x7fffe7dee78d]
/home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/lib/amd64/libnet.so(+0x5ff5)[0x7fffe7deeff5]
/home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/lib/amd64/libnet.so(Java_java_net_NetworkInterface_getAll+0x1c)[0x7fffe7def77c]

Backtrace:

#0  0x00007ffff78643a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff7867b0b in __GI_abort () at abort.c:92
#2  0x00007ffff789dd63 in __libc_message (do_abort=2, fmt=0x7ffff798d39e "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3  0x00007ffff79284f7 in __GI___fortify_fail (msg=0x7ffff798d335 "buffer overflow detected") at fortify_fail.c:32
#4  0x00007ffff7927410 in __GI___chk_fail () at chk_fail.c:29
#5  0x00007fffe7dee78d in strcpy (__src=<optimized out>, __dest=0x7fffe4cbc060 "fc163efffefa2220") at /usr/include/x86_64-linux-gnu/bits/string3.h:105
#6  addif (env=0xb329d0, sock=57, if_name=<optimized out>, ifs=0x8f24a0, ifr_addrP=<optimized out>, family=10, prefix=0)
    at ../../../src/solaris/native/java/net/NetworkInterface.c:841
#7  0x00007fffe7deeff5 in enumIPv6Interfaces (ifs=0x8f24a0, sock=57, env=0xb329d0) at ../../../src/solaris/native/java/net/NetworkInterface.c:1125

These are the values of devname the while loop at
NetworkInterface.c:1108 sees (compare to the device names above!):

dev: eth3
dev: veth4pXXGI
dev: 80
dev: 158
dev: 3efffe49ac43
dev: fc163efffefa2220
dev: fc163efffe8fb8ba
dev: fc163efffeaeaa2a
dev: fc163efffe53e706
dev: fc163efffed50b59
dev: 022590fffe1a48e6
dev: 000000000001
dev: 000000000001

The parsing is too restrictive. Who said the netlink device number is
only ever 2 hex digits wide? Same goes probably for the other hex
values, I don't know. Should be safe making no assumption about their
maximum width.

Furthermore, the parsing is error prone, it doesn't stop if a line
couldn't be read completely, i.e. it cannot detect whether a line has
been read completely.

The attached patch fixes the apparent problem.

Btw, I got the same error with openjdk-6.

** Affects: openjdk-7 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/959183

Title:
  buffer overflow parsing if_inet6

Status in “openjdk-7” package in Ubuntu:
  New

Bug description:
  Hi.

  The contents of /proc/net/if_inet6:

  fe80000000000000022590fffe1a48e5 05 40 20 80     eth3
  fe80000000000000fc9b86fffe01d5d7 86 40 20 80 veth4pXXGI
  fe80000000000000fc163efffe629ca3 155 40 20 80    vnet3
  fe80000000000000fc163efffefc3b5f 158 40 20 80    vnet6
  fe80000000000000fc163efffe49ac43 154 40 20 80    vnet2
  fe80000000000000fc163efffe8fb8ba 157 40 20 80    vnet5
  fe80000000000000fc163efffeaeaa2a 152 40 20 80    vnet0
  fe80000000000000fc163efffe53e706 156 40 20 80    vnet4
  fe80000000000000fc163efffed50b59 153 40 20 80    vnet1
  fe80000000000000022590fffe1a48e6 02 40 20 80     eth0
  00000000000000000000000000000001 01 80 10 80       lo

  Starting my application results in:

  
  *** buffer overflow detected ***: /home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/bin/java terminated
  ======= Backtrace: =========
  /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff79284f7]
  /lib/x86_64-linux-gnu/libc.so.6(+0xf9410)[0x7ffff7927410]
  /home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/lib/amd64/libnet.so(+0x578d)[0x7fffe7dee78d]
  /home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/lib/amd64/libnet.so(+0x5ff5)[0x7fffe7deeff5]
  /home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/lib/amd64/libnet.so(Java_java_net_NetworkInterface_getAll+0x1c)[0x7fffe7def77c]

  Backtrace:

  #0  0x00007ffff78643a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
  #1  0x00007ffff7867b0b in __GI_abort () at abort.c:92
  #2  0x00007ffff789dd63 in __libc_message (do_abort=2, fmt=0x7ffff798d39e "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
  #3  0x00007ffff79284f7 in __GI___fortify_fail (msg=0x7ffff798d335 "buffer overflow detected") at fortify_fail.c:32
  #4  0x00007ffff7927410 in __GI___chk_fail () at chk_fail.c:29
  #5  0x00007fffe7dee78d in strcpy (__src=<optimized out>, __dest=0x7fffe4cbc060 "fc163efffefa2220") at /usr/include/x86_64-linux-gnu/bits/string3.h:105
  #6  addif (env=0xb329d0, sock=57, if_name=<optimized out>, ifs=0x8f24a0, ifr_addrP=<optimized out>, family=10, prefix=0)
      at ../../../src/solaris/native/java/net/NetworkInterface.c:841
  #7  0x00007fffe7deeff5 in enumIPv6Interfaces (ifs=0x8f24a0, sock=57, env=0xb329d0) at ../../../src/solaris/native/java/net/NetworkInterface.c:1125

  These are the values of devname the while loop at
  NetworkInterface.c:1108 sees (compare to the device names above!):

  dev: eth3
  dev: veth4pXXGI
  dev: 80
  dev: 158
  dev: 3efffe49ac43
  dev: fc163efffefa2220
  dev: fc163efffe8fb8ba
  dev: fc163efffeaeaa2a
  dev: fc163efffe53e706
  dev: fc163efffed50b59
  dev: 022590fffe1a48e6
  dev: 000000000001
  dev: 000000000001

  The parsing is too restrictive. Who said the netlink device number is
  only ever 2 hex digits wide? Same goes probably for the other hex
  values, I don't know. Should be safe making no assumption about their
  maximum width.

  Furthermore, the parsing is error prone, it doesn't stop if a line
  couldn't be read completely, i.e. it cannot detect whether a line has
  been read completely.

  The attached patch fixes the apparent problem.

  Btw, I got the same error with openjdk-6.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/959183/+subscriptions



Follow ups

References