← Back to team overview

openjdk team mailing list archive

[Bug 959183] Re: buffer overflow parsing if_inet6

 

The attachment "NetworkInterface_if_inet6.diff" of this bug report has
been identified as being a patch.  The ubuntu-reviewers team has been
subscribed to the bug report so that they can review the patch.  In the
event that this is in fact not a patch you can resolve this situation by
removing the tag 'patch' from the bug report and editing the attachment
so that it is not flagged as a patch.  Additionally, if you are member
of the ubuntu-reviewers team please also unsubscribe the team from this
bug report.

[This is an automated message performed by a Launchpad user owned by
Brian Murray.  Please contact him regarding any issues with the action
taken in this bug report.]

** Tags added: patch

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/959183

Title:
  buffer overflow parsing if_inet6

Status in “openjdk-7” package in Ubuntu:
  New

Bug description:
  Hi.

  The contents of /proc/net/if_inet6:

  fe80000000000000022590fffe1a48e5 05 40 20 80     eth3
  fe80000000000000fc9b86fffe01d5d7 86 40 20 80 veth4pXXGI
  fe80000000000000fc163efffe629ca3 155 40 20 80    vnet3
  fe80000000000000fc163efffefc3b5f 158 40 20 80    vnet6
  fe80000000000000fc163efffe49ac43 154 40 20 80    vnet2
  fe80000000000000fc163efffe8fb8ba 157 40 20 80    vnet5
  fe80000000000000fc163efffeaeaa2a 152 40 20 80    vnet0
  fe80000000000000fc163efffe53e706 156 40 20 80    vnet4
  fe80000000000000fc163efffed50b59 153 40 20 80    vnet1
  fe80000000000000022590fffe1a48e6 02 40 20 80     eth0
  00000000000000000000000000000001 01 80 10 80       lo

  Starting my application results in:

  
  *** buffer overflow detected ***: /home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/bin/java terminated
  ======= Backtrace: =========
  /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff79284f7]
  /lib/x86_64-linux-gnu/libc.so.6(+0xf9410)[0x7ffff7927410]
  /home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/lib/amd64/libnet.so(+0x578d)[0x7fffe7dee78d]
  /home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/lib/amd64/libnet.so(+0x5ff5)[0x7fffe7deeff5]
  /home/user/build/openjdk-7-7~b147-2.0/build/openjdk.build/lib/amd64/libnet.so(Java_java_net_NetworkInterface_getAll+0x1c)[0x7fffe7def77c]

  Backtrace:

  #0  0x00007ffff78643a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
  #1  0x00007ffff7867b0b in __GI_abort () at abort.c:92
  #2  0x00007ffff789dd63 in __libc_message (do_abort=2, fmt=0x7ffff798d39e "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
  #3  0x00007ffff79284f7 in __GI___fortify_fail (msg=0x7ffff798d335 "buffer overflow detected") at fortify_fail.c:32
  #4  0x00007ffff7927410 in __GI___chk_fail () at chk_fail.c:29
  #5  0x00007fffe7dee78d in strcpy (__src=<optimized out>, __dest=0x7fffe4cbc060 "fc163efffefa2220") at /usr/include/x86_64-linux-gnu/bits/string3.h:105
  #6  addif (env=0xb329d0, sock=57, if_name=<optimized out>, ifs=0x8f24a0, ifr_addrP=<optimized out>, family=10, prefix=0)
      at ../../../src/solaris/native/java/net/NetworkInterface.c:841
  #7  0x00007fffe7deeff5 in enumIPv6Interfaces (ifs=0x8f24a0, sock=57, env=0xb329d0) at ../../../src/solaris/native/java/net/NetworkInterface.c:1125

  These are the values of devname the while loop at
  NetworkInterface.c:1108 sees (compare to the device names above!):

  dev: eth3
  dev: veth4pXXGI
  dev: 80
  dev: 158
  dev: 3efffe49ac43
  dev: fc163efffefa2220
  dev: fc163efffe8fb8ba
  dev: fc163efffeaeaa2a
  dev: fc163efffe53e706
  dev: fc163efffed50b59
  dev: 022590fffe1a48e6
  dev: 000000000001
  dev: 000000000001

  The parsing is too restrictive. Who said the netlink device number is
  only ever 2 hex digits wide? Same goes probably for the other hex
  values, I don't know. Should be safe making no assumption about their
  maximum width.

  Furthermore, the parsing is error prone, it doesn't stop if a line
  couldn't be read completely, i.e. it cannot detect whether a line has
  been read completely.

  The attached patch fixes the apparent problem.

  Btw, I got the same error with openjdk-6.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/959183/+subscriptions



References