openjdk team mailing list archive

[Ben Hutchings <ben@xxxxxxxxxxxxxxx>]

Package: openjdk-8-jre-headless
Version: 8u144-b01-1
Severity: important
Tags: patch

Following the fix for CVE-2017-1000364 (Stack Clash) in the Linux
kernel, it was reported that some applications using JNI on i386 would
crash (bug #865303 and others).

I tracked this down to some questionable code in Hotspot that
allocates a page of writable, executable memory near the limit (lowest
address) of the main thread stack.  This is commented as being a
workaround for JDK-8023956, which seems to be a bug in the Exec Shield
NX emulation patch applied to Red Hat and Ubuntu kernels (RH bug
#996149, which is not public).  I don't know whether that bug was
ever fixed in Exec Shield.

Since Debian has never applied out-of-tree Exec Shield kernel patches,
perhaps it would better to disable this workaround?  I would prefer to
fix this on the kernel side, but even if it does get fixed there is a
security benefit in eliminating a page of memory that is both writable
and executable.

Ben.

--- openjdk-8-8u144-b01/debian/patches/hotspot-disable-exec-shield-workaround.patch
+++ openjdk-8-8u144-b01/debian/patches/hotspot-disable-exec-shield-workaround.patch
@@ -0,0 +1,15 @@
+# DP: Hotspot: disable Exec Shield workaround (JDK-8023956).
+# DP: This workaround interacts badly with kernel changes to enlarge the stack
+# DP: gap, causing applications using JNI to crash (Debian bug #865303).
+# DP: Debian has never applied the Exec Shield patches.
+--- a/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp
++++ b/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp
+@@ -890,7 +890,7 @@ void os::verify_stack_alignment() {
+  * updates (JDK-8023956).
+  */
+ void os::workaround_expand_exec_shield_cs_limit() {
+-#if defined(IA32) && !defined(ZERO)
++#if 0
+   size_t page_size = os::vm_page_size();
+   /*
+    * Take the highest VA the OS will give us and exec
--- openjdk-8-8u144-b01/debian/rules
+++ openjdk-8-8u144-b01/debian/rules
@@ -380,6 +380,7 @@
 	8164293.diff \
 	jdk-i18n-pt_BR.diff \
 	jdk-java-nio-bits-unligned-aarch64.diff \
+	hotspot-disable-exec-shield-workaround.patch \
 
 #	jdk-derived-font-size.diff \
 # FIXME: update patches
--- END ---

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openjdk-8-jre-headless depends on:
ii  ca-certificates-java  20170531+nmu1
ii  java-common           0.59
ii  libc6                 2.24-17
ii  libcups2              2.2.4-6
ii  libfontconfig1        2.12.3-0.2
ii  libfreetype6          2.8-0.2
ii  libgcc1               1:7.2.0-3
ii  libjpeg62-turbo       1:1.5.2-2
ii  liblcms2-2            2.8-4
ii  libnss3               2:3.32-2
ii  libpcsclite1          1.8.22-1
ii  libstdc++6            7.2.0-3
ii  libx11-6              2:1.6.4-3
ii  libxext6              2:1.3.3-1+b2
ii  libxi6                2:1.7.9-1
ii  libxrender1           1:0.9.10-1
ii  libxtst6              2:1.2.3-1
ii  util-linux            2.29.2-4
ii  zlib1g                1:1.2.8.dfsg-5

openjdk-8-jre-headless recommends no packages.

Versions of packages openjdk-8-jre-headless suggests:
ii  fonts-dejavu-extra    2.37-1
pn  fonts-indic           <none>
pn  fonts-ipafont-gothic  <none>
pn  fonts-ipafont-mincho  <none>
pn  fonts-wqy-microhei    <none>
pn  fonts-wqy-zenhei      <none>
ii  libnss-mdns           0.10-8

-- no debconf information