openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #07688
[Bug 959183] Re: buffer overflow parsing if_inet6
** Patch added: "NetworkInterface_if_inet6.diff"
https://bugs.launchpad.net/bugs/959183/+attachment/2896595/+files/NetworkInterface_if_inet6.diff
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/959183
Title:
buffer overflow parsing if_inet6
Status in “openjdk-7” package in Ubuntu:
New
Bug description:
Hi.
The contents of /proc/net/if_inet6:
fe80000000000000022590fffe1a48e5 05 40 20 80 eth3
fe80000000000000fc9b86fffe01d5d7 86 40 20 80 veth4pXXGI
fe80000000000000fc163efffe629ca3 155 40 20 80 vnet3
fe80000000000000fc163efffefc3b5f 158 40 20 80 vnet6
fe80000000000000fc163efffe49ac43 154 40 20 80 vnet2
fe80000000000000fc163efffe8fb8ba 157 40 20 80 vnet5
fe80000000000000fc163efffeaeaa2a 152 40 20 80 vnet0
fe80000000000000fc163efffe53e706 156 40 20 80 vnet4
fe80000000000000fc163efffed50b59 153 40 20 80 vnet1
fe80000000000000022590fffe1a48e6 02 40 20 80 eth0
00000000000000000000000000000001 01 80 10 80 lo
Starting my application results in:
*** buffer overflow detected ***: /home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/bin/java terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff79284f7]
/lib/x86_64-linux-gnu/libc.so.6(+0xf9410)[0x7ffff7927410]
/home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/lib/amd64/libnet.so(+0x578d)[0x7fffe7dee78d]
/home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/lib/amd64/libnet.so(+0x5ff5)[0x7fffe7deeff5]
/home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/lib/amd64/libnet.so(Java_java_net_NetworkInterface_getAll+0x1c)[0x7fffe7def77c]
Backtrace:
#0 0x00007ffff78643a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007ffff7867b0b in __GI_abort () at abort.c:92
#2 0x00007ffff789dd63 in __libc_message (do_abort=2, fmt=0x7ffff798d39e "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3 0x00007ffff79284f7 in __GI___fortify_fail (msg=0x7ffff798d335 "buffer overflow detected") at fortify_fail.c:32
#4 0x00007ffff7927410 in __GI___chk_fail () at chk_fail.c:29
#5 0x00007fffe7dee78d in strcpy (__src=<optimized out>, __dest=0x7fffe4cbc060 "fc163efffefa2220") at /usr/include/x86_64-linux-gnu/bits/string3.h:105
#6 addif (env=0xb329d0, sock=57, if_name=<optimized out>, ifs=0x8f24a0, ifr_addrP=<optimized out>, family=10, prefix=0)
at ../../../src/solaris/native/java/net/NetworkInterface.c:841
#7 0x00007fffe7deeff5 in enumIPv6Interfaces (ifs=0x8f24a0, sock=57, env=0xb329d0) at ../../../src/solaris/native/java/net/NetworkInterface.c:1125
These are the values of devname the while loop at
NetworkInterface.c:1108 sees (compare to the device names above!):
dev: eth3
dev: veth4pXXGI
dev: 80
dev: 158
dev: 3efffe49ac43
dev: fc163efffefa2220
dev: fc163efffe8fb8ba
dev: fc163efffeaeaa2a
dev: fc163efffe53e706
dev: fc163efffed50b59
dev: 022590fffe1a48e6
dev: 000000000001
dev: 000000000001
The parsing is too restrictive. Who said the netlink device number is
only ever 2 hex digits wide? Same goes probably for the other hex
values, I don't know. Should be safe making no assumption about their
maximum width.
Furthermore, the parsing is error prone, it doesn't stop if a line
couldn't be read completely, i.e. it cannot detect whether a line has
been read completely.
The attached patch fixes the apparent problem.
Btw, I got the same error with openjdk-6.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/959183/+subscriptions
References