openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #12591
Bug#876051: i386 applications using JNI may crash due to Hotspot workaround for Exec Shield
Package: openjdk-8-jre-headless
Version: 8u144-b01-1
Severity: important
Tags: patch
Following the fix for CVE-2017-1000364 (Stack Clash) in the Linux
kernel, it was reported that some applications using JNI on i386 would
crash (bug #865303 and others).
I tracked this down to some questionable code in Hotspot that
allocates a page of writable, executable memory near the limit (lowest
address) of the main thread stack. This is commented as being a
workaround for JDK-8023956, which seems to be a bug in the Exec Shield
NX emulation patch applied to Red Hat and Ubuntu kernels (RH bug
#996149, which is not public). I don't know whether that bug was
ever fixed in Exec Shield.
Since Debian has never applied out-of-tree Exec Shield kernel patches,
perhaps it would better to disable this workaround? I would prefer to
fix this on the kernel side, but even if it does get fixed there is a
security benefit in eliminating a page of memory that is both writable
and executable.
Ben.
--- openjdk-8-8u144-b01/debian/patches/hotspot-disable-exec-shield-workaround.patch
+++ openjdk-8-8u144-b01/debian/patches/hotspot-disable-exec-shield-workaround.patch
@@ -0,0 +1,15 @@
+# DP: Hotspot: disable Exec Shield workaround (JDK-8023956).
+# DP: This workaround interacts badly with kernel changes to enlarge the stack
+# DP: gap, causing applications using JNI to crash (Debian bug #865303).
+# DP: Debian has never applied the Exec Shield patches.
+--- a/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp
++++ b/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp
+@@ -890,7 +890,7 @@ void os::verify_stack_alignment() {
+ * updates (JDK-8023956).
+ */
+ void os::workaround_expand_exec_shield_cs_limit() {
+-#if defined(IA32) && !defined(ZERO)
++#if 0
+ size_t page_size = os::vm_page_size();
+ /*
+ * Take the highest VA the OS will give us and exec
--- openjdk-8-8u144-b01/debian/rules
+++ openjdk-8-8u144-b01/debian/rules
@@ -380,6 +380,7 @@
8164293.diff \
jdk-i18n-pt_BR.diff \
jdk-java-nio-bits-unligned-aarch64.diff \
+ hotspot-disable-exec-shield-workaround.patch \
# jdk-derived-font-size.diff \
# FIXME: update patches
--- END ---
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.12.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openjdk-8-jre-headless depends on:
ii ca-certificates-java 20170531+nmu1
ii java-common 0.59
ii libc6 2.24-17
ii libcups2 2.2.4-6
ii libfontconfig1 2.12.3-0.2
ii libfreetype6 2.8-0.2
ii libgcc1 1:7.2.0-3
ii libjpeg62-turbo 1:1.5.2-2
ii liblcms2-2 2.8-4
ii libnss3 2:3.32-2
ii libpcsclite1 1.8.22-1
ii libstdc++6 7.2.0-3
ii libx11-6 2:1.6.4-3
ii libxext6 2:1.3.3-1+b2
ii libxi6 2:1.7.9-1
ii libxrender1 1:0.9.10-1
ii libxtst6 2:1.2.3-1
ii util-linux 2.29.2-4
ii zlib1g 1:1.2.8.dfsg-5
openjdk-8-jre-headless recommends no packages.
Versions of packages openjdk-8-jre-headless suggests:
ii fonts-dejavu-extra 2.37-1
pn fonts-indic <none>
pn fonts-ipafont-gothic <none>
pn fonts-ipafont-mincho <none>
pn fonts-wqy-microhei <none>
pn fonts-wqy-zenhei <none>
ii libnss-mdns 0.10-8
-- no debconf information
Follow ups