buffer overflow in debugger's socket handler

Bug #419018 reported by Kees Cook
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenJDK
Unknown
Medium
openjdk-6 (Ubuntu)
Fix Released
Undecided
Matthias Klose

Bug Description

When compiled with fortification:
$ /usr/lib/jvm/java-6-openjdk/jre/bin/java -agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=50701 Exit0 &
[1] 8785
Listening for transport dt_socket at address: 50701
$ echo -n "Here's a poke in the eye" | nc -v localhost 50701
*** buffer overflow detected ***: /usr/lib/jvm/java-6-openjdk/jre/bin/java terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x40)[0xf7ed7a90]
/lib/libc.so.6[0xf7ed6aa0]
/lib/libc.so.6[0xf7ed5dca]
/usr/lib/jvm/java-6-openjdk/jre/lib/i386/libdt_socket.so[0xf7134eb7]
/usr/lib/jvm/java-6-openjdk/jre/lib/i386/libdt_socket.so[0xf7135066]
/usr/lib/jvm/java-6-openjdk/jre/lib/i386/libjdwp.so[0xf7166357]
...

This is due to openjdk/jdk/src/share/transport/socket/socketTransport.c containing too small a buffer to report the error:
Debugger failed to attach: handshake failed - received >Here's a poke < - excepted >JDWP-Handshake<

64 vs 73 bytes.

Found while investigating test regression in bug 330713.

ProblemType: Bug
Architecture: amd64
Date: Tue Aug 25 21:23:34 2009
DistroRelease: Ubuntu 9.10
Package: openjdk-6-jdk 6b16-1.6~pre1-0ubuntu1
ProcEnviron:
 LANGUAGE=en_US.UTF-8
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-6.25-generic
SourcePackage: openjdk-6
Uname: Linux 2.6.31-6-generic x86_64

Related branches

Revision history for this message
Kees Cook (kees) wrote :
Revision history for this message
Kees Cook (kees) wrote :

Fix for overflow.

Changed in openjdk-6 (Ubuntu):
milestone: none → karmic-alpha-6
Revision history for this message
Kees Cook (kees) wrote :

Patch updated to include upstream bug report link.

Changed in openjdk-6 (Ubuntu):
assignee: nobody → Matthias Klose (doko)
Changed in openjdk:
status: Unknown → Confirmed
Changed in openjdk:
status: Confirmed → Unknown
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-6 - 6b16-1.6~pre2-0ubuntu1

---------------
openjdk-6 (6b16-1.6~pre2-0ubuntu1) karmic; urgency=low

  * Update IcedTea from the 1.6 release branch:
    - Fix buffer overflow in debugger's socket handler (Kees Cook).
      https://bugs.openjdk.java.net/show_bug.cgi?id=100103. LP: #409736.
    - plugin fixes.
  * Move the pulseaudio recommendation to a suggestion, don't build-depend
    on pulseaudio.
  * Build for armv6 (on armel).

  [ Kees Cook ]
  * debian/rules: Re-enable fortification and stack protector
    (LP: #330713).
  * Adding stack markings to the x86 assembly for not using executable
    stack. LP: #419018.

 -- Matthias Klose <email address hidden> Fri, 28 Aug 2009 18:51:34 +0200

Changed in openjdk-6 (Ubuntu):
status: New → Fix Released
Changed in openjdk:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.