openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #12031
[Bug 1594393] Re: JVM on PPC64 LE crashes due to an illegal instruction in JITed code
This bug was fixed in the package openjdk-8 - 8u91-b14-3ubuntu1~16.04.1
---------------
openjdk-8 (8u91-b14-3ubuntu1~16.04.1) xenial-security; urgency=medium
* Backport to Ubuntu 16.04.
openjdk-8 (8u91-b14-3ubuntu1) yakkety; urgency=medium
* SECURITY UPDATE: IIOP Input Stream Hooking
- d/p/corba-8079718.patch: S8079718, CVE-2016-3458: defaultReadObject is
not forbidden in readObject in subclasses of InputStreamHook which
provides leverage to deserialize malicious objects if a reference to the
input stream can be obtained separately.
* SECURITY UPDATE: Complete name checking
- d/p/jaxp-8148872.patch: S8148872, CVE-2016-3500: In some cases raw names
in XML data are not checked for length limits allowing for DoS attacks.
* SECURITY UPDATE: Better delineation of XML processing
- d/p/jaxp-8149962.patch: S8149962, CVE-2016-3508: Denial of service
measures do not take newline characters into account. This can be used to
conduct attacks like the billion laughs DoS.
* SECURITY UPDATE: Coded byte streams
- d/p/hotspot-8152479.patch: S8152479, CVE-2016-3550: A fuzzed class file
triggers an integer overflow in array access.
* SECURITY UPDATE: Clean up lookup visibility
- d/p/jdk-8154475.patch: S8154475, CVE-2016-3587: A fast path change
allowed access to MH.invokeBasic via the public lookup object. MH.iB does
not do full type checking which can be used to create type confusion.
* SECURITY UPDATE: Bolster bytecode verification
- d/p/hotspot-8155981.patch: S8155981, CVE-2016-3606: The bytecode
verifier checks that any classes' <init> method calls super.<init> before
returning. There is a way to bypass this requirement which allows
creating subclasses of classes that are not intended to be extended.
* SECURITY UPDATE: Persistent Parameter Processing
- d/p/jdk-8155985.patch: S8155985, CVE-2016-3598: TOCTOU issue with types
List passed into dropArguments() which can be used to cause type
confusion.
* SECURITY UPDATE: Additional method handle validation
- d/p/jdk-8158571.patch: S8158571, CVE-2016-3610: MHs.filterReturnValue
does not check the filter parameter list size. The single expected
parameter is put in the last parameter position for the filter MH
allowing for type confusion.
* SECURITY UPDATE: Enforce GCM limits
- d/p/jdk-8146514.patch: S8146514: In GCM the counter should not be allowed
to wrap (per the spec), since that plus exposing the encrypted data could
lead to leaking information.
* SECURITY UPDATE: Construction of static protection domains
- d/p/jdk-8147771.patch: S8147771: SubjectDomainCombiner does not honor the
staticPermission field and will create ProtectionDomains that vary with
the system policy which may allow unexpected permission sets.
* SECURITY UPDATE: Share Class Data
- d/p/hotspot-8150752.patch: S8150752: Additional verification of AppCDS
archives is required to prevent an attacker from creating a type
confusion situation.
* SECURITY UPDATE: Enforce update ordering
- d/p/jdk-8149070.patch: S8149070: If the GCM methods update() and
updateAAD() are used out of order, the security of the system can be
weakened and an exception should be thrown to warn the developer.
* SECURITY UPDATE: Constrain AppCDS behavior
- d/p/hotspot-8153312.patch: S8153312: AppCDS does not create classloader
constraints upon reloading classes which could allow class spoofing under
some circumstances.
openjdk-8 (8u91-b14-3) unstable; urgency=medium
* Fix an issue with libatk-wrapper (Samuel Thibault). Closes: #827795.
* Update the KFreeBSD support patch (Steven Chamberlain). Closes: #825514.
* debian/patches/hotspot-JDK-8158260-ppc64el.patch: JDK-8158260, PPC64:
unaligned Unsafe.getInt can lead to the generation of illegal
instructions (Tiago Stürmer Daitx). LP: #1594393.
openjdk-8 (8u91-b14-2ubuntu1) yakkety; urgency=medium
* Disable the atk bridge again on Ubuntu yakkety (failing TCK tests).
openjdk-8 (8u91-b14-2) unstable; urgency=medium
* Set initial VMThreadStackSize to 1600 on s390x.
openjdk-8 (8u91-b14-1) unstable; urgency=high
* Drop unused g++-4.9 build dependency.
-- Tiago Stürmer Daitx <tiago.daitx@xxxxxxxxxxxxx> Fri, 16 Jul 2016
15:54:36 +0000
** Changed in: openjdk-8 (Ubuntu Xenial)
Status: New => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3458
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3500
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3508
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3550
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3587
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3598
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3606
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3610
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-8 in Ubuntu.
https://bugs.launchpad.net/bugs/1594393
Title:
JVM on PPC64 LE crashes due to an illegal instruction in JITed code
Status in openjdk-8 package in Ubuntu:
Fix Released
Status in openjdk-8 source package in Xenial:
Fix Released
Bug description:
== Comment: #0 - Gustavo Bueno Romero <gromero@xxxxxxxxxx> - 2016-06-17 15:06:02 ==
---Problem Description---
JVM on PPC64 LE crashes due to an illegal instruction in JITed code. The root cause is that the unaligned 4-byte displacement in instructions like LWA (Load Word Algebraic, a DS-from instruction) is not handled correctly and yields an illegal instruction inside the JITed method
Contact Information = gromero@xxxxxxxxxx
---uname output---
Linux hostname 4.4.0-24-generic #43-Ubuntu SMP Wed Jun 8 19:25:36 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux
Machine Type = Not relevant
---Debugger---
A debugger is not configured
---Steps to Reproduce---
Please find a test case at: https://bugs.openjdk.java.net/browse/JDK-8158260
Userspace tool common name: javac, java
The userspace tool has the following bit modes: 64-bit
Userspace rpm: openjdk-8-jdk:ppc64el
8u91-b14-0ubuntu4~16.04.1
Userspace tool obtained from project website: na
*Additional Instructions for gromero@xxxxxxxxxx:
-Attach ltrace and strace of userspace application.
== Comment: #1 - Gustavo Bueno Romero <gromero@xxxxxxxxxx> - 2016-06-17 15:06:43 ==
JVM on PPC64 LE crashes due to an illegal instruction in JITed code. The root cause is that the unaligned 4-byte displacement in instructions like LWA (Load Word Algebraic, a DS-from instruction) is not handled correctly and yields an illegal instruction inside the JITed method [1]. The patch is already available upstream on OpenJDK 9 [2] and applying it to jdk8u is trivial [3].
Could you please proceed to apply the patch [2] (PPC-only code is
affect) in order to fix the issue described?
Thank you.
[1] https://bugs.openjdk.java.net/browse/JDK-8158260
[2]http://hg.openjdk.java.net/jdk9/hs-comp/hotspot/rev/5f3687f2143c
[3] http://mail.openjdk.java.net/pipermail/ppc-aix-port-dev/2016-June/002569.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-8/+bug/1594393/+subscriptions