openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #08305
[Bug 925218] Re: Crash in java.net.NetworkInterface.getNetworkInterfaces() when ifr_ifindex exceeds 255
This bug was fixed in the package openjdk-6 -
6b24-1.11.3-1ubuntu0.11.10.1
---------------
openjdk-6 (6b24-1.11.3-1ubuntu0.11.10.1) oneiric-security; urgency=low
* Backport OpenJDK 6b24/IcedTea 1.11.3 to oneiric.
* debian/patches/java-access-bridge-security.patch: updated
* debian/control.zero-jre: add powerpc arch back, to get empty
transitional package
* debian/rules: install README.Debian for openjdk-6-jre-zero to create
empty transitional package and create package
* debian/README.Debian: explain openjdk-6-jre-zero went away
* regenerate debian/control
* add back build depends on g++-4.5 for armel/armhf
openjdk-6 (6b24-1.11.3-1ubuntu0.12.04.1) precise-security; urgency=low
* SECURITY UPDATE: update to IcedTea 6 1.11.3
- Security fixes:
- S7079902, CVE-2012-1711: Refine CORBA data models
- S7110720: Issue with vm config file loadingIssue with vm
config file loading
- S7143606, CVE-2012-1717: File.createTempFile should be improved
for temporary files created by the platform.
- S7143614, CVE-2012-1716: SynthLookAndFeel stability improvement
- S7143617, CVE-2012-1713: Improve fontmanager layout lookup
operations
- S7143851, CVE-2012-1719: Improve IIOP stub and tie generation
in RMIC
- S7143872, CVE-2012-1718: Improve certificate extension
processing
- S7145239: Finetune package definition restriction
- S7152811, CVE-2012-1723: Issues in client compiler
- S7157609, CVE-2012-1724: Issues with loop
- S7160677: missing else in fix for 7152811
- S7160757, CVE-2012-1725: Problem with hotspot/runtime_classfile
- Bug fixes:
- PR1018: JVM fails due to SEGV during rendering some Unicode
characters (part of 6886358)
* Changelog, Makefile.am, aclocal.m4,
arm_port/hotspot/src/cpu/zero/vm/asm_helper.cpp,
patches/idresolver_fix.patch,
patches/openjdk/6792400-Avoid_loading_Normalizer_resources.patch:
drop inline changes, applied upstream
* debian/patches/atk-wrapper-security.patch: updated
* Makefile.{am,in}: don't apply patches/jtreg-LastErrorString.patch as
it causes the testsuite runner to fail.
-- Steve Beattie <sbeattie@xxxxxxxxxx> Thu, 28 Jun 2012 12:14:37 -0700
** Changed in: openjdk-6 (Ubuntu Oneiric)
Status: Confirmed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1711
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1713
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1716
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1717
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1718
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1719
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1723
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1724
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1725
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in Ubuntu.
https://bugs.launchpad.net/bugs/925218
Title:
Crash in java.net.NetworkInterface.getNetworkInterfaces() when
ifr_ifindex exceeds 255
Status in “openjdk-6” package in Ubuntu:
Fix Released
Status in “openjdk-7” package in Ubuntu:
Fix Released
Status in “openjdk-6” source package in Oneiric:
Fix Released
Status in “openjdk-7” source package in Oneiric:
Confirmed
Bug description:
If the system contains at least one network interface in state "UP"
whose interface index (ifr_ifindex) is greater than 255, any calls to
java.net.NetworkInterface.getNetworkInterfaces() will fail horribly,
usually with a glibc-detected buffer overflow. This is on Ubuntu
11.10 amd64 with openjdk-6-jre-headless version
6b23~pre11-0ubuntu1.11.10.1 0
Interface index numbers can get quite large when we're on a system
where network interfaces are added and removed frequently. For
example, miredo (a teredo implementation) seems to create and destroy
a tuntap interface whenever we need to reestablish the teredo tunnel
-- which can be quite often on a laptop. High interface numbers can
also be induced artificially by repeatedly adding and removing, say, a
macvlan interface.
I'm attaching a simple shell script that demonstrates this bug, along
with the glibc buffer overflow crash output that results. I'm also
attaching a gdb backtrace.
The problem seems to be caused by the Linux version of the
enumIPv6Interfaces function in
openjdk/jdk/src/solaris/native/java/net/NetworkInterface.c, which
attempts to parse the contents of /proc/net/if_inet6. When we have an
interface with a high index, that file looks something like this:
> fe800000000000000000ffffffffffff 10b 40 20 80 teredo
> 20010000<--address-edited-out--> 10b 20 00 80 teredo
> fe80000000000000021558fffec629b6 02 40 20 80 eth0
> fe8000000000000002197efffec16a76 03 40 20 80 wlan0
> 00000000000000000000000000000001 01 80 10 80 lo
The second column contains the interface index in hex. Notice that it's normally two characters long, but it becomes longer when the index exceeds 255. However, enumIPv6Interfaces uses fscanf with the format string
"%4s%4s%4s%4s%4s%4s%4s%4s %02x %02x %02x %02x %20s\n"
which insists that the index is only two characters long. Thus, an index that's 3 chars long causes fscanf to give us lots of garbage, eventually resulting in a crash when we try to do something with the nonsense.
I'm attaching a patch that contains a simple fix. However, it might
be a good idea to find a better way to do this and replace this
fragile parsing stuff altogether, esp. since the kernel docs don't
even bother to document the format of /proc/net/if_inet6. (Netlink,
maybe? How does 'ip addr list' do it?)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/925218/+subscriptions
References
