Crash in java.net.NetworkInterface.getNetworkInterfaces() when ifr_ifindex exceeds 255

Bug #925218 reported by Daniel Gnoutcheff on 2012-02-01
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openjdk-6 (Ubuntu)
Undecided
Unassigned
Oneiric
High
Unassigned
openjdk-7 (Ubuntu)
Undecided
Unassigned
Oneiric
Undecided
Unassigned

Bug Description

If the system contains at least one network interface in state "UP" whose interface index (ifr_ifindex) is greater than 255, any calls to java.net.NetworkInterface.getNetworkInterfaces() will fail horribly, usually with a glibc-detected buffer overflow. This is on Ubuntu 11.10 amd64 with openjdk-6-jre-headless version 6b23~pre11-0ubuntu1.11.10.1 0

Interface index numbers can get quite large when we're on a system where network interfaces are added and removed frequently. For example, miredo (a teredo implementation) seems to create and destroy a tuntap interface whenever we need to reestablish the teredo tunnel -- which can be quite often on a laptop. High interface numbers can also be induced artificially by repeatedly adding and removing, say, a macvlan interface.

I'm attaching a simple shell script that demonstrates this bug, along with the glibc buffer overflow crash output that results. I'm also attaching a gdb backtrace.

The problem seems to be caused by the Linux version of the enumIPv6Interfaces function in openjdk/jdk/src/solaris/native/java/net/NetworkInterface.c, which attempts to parse the contents of /proc/net/if_inet6. When we have an interface with a high index, that file looks something like this:

> fe800000000000000000ffffffffffff 10b 40 20 80 teredo
> 20010000<--address-edited-out--> 10b 20 00 80 teredo
> fe80000000000000021558fffec629b6 02 40 20 80 eth0
> fe8000000000000002197efffec16a76 03 40 20 80 wlan0
> 00000000000000000000000000000001 01 80 10 80 lo

The second column contains the interface index in hex. Notice that it's normally two characters long, but it becomes longer when the index exceeds 255. However, enumIPv6Interfaces uses fscanf with the format string
  "%4s%4s%4s%4s%4s%4s%4s%4s %02x %02x %02x %02x %20s\n"
which insists that the index is only two characters long. Thus, an index that's 3 chars long causes fscanf to give us lots of garbage, eventually resulting in a crash when we try to do something with the nonsense.

I'm attaching a patch that contains a simple fix. However, it might be a good idea to find a better way to do this and replace this fragile parsing stuff altogether, esp. since the kernel docs don't even bother to document the format of /proc/net/if_inet6. (Netlink, maybe? How does 'ip addr list' do it?)

Daniel Gnoutcheff (gnoutchd) wrote :
Daniel Gnoutcheff (gnoutchd) wrote :
Daniel Gnoutcheff (gnoutchd) wrote :
Daniel Gnoutcheff (gnoutchd) wrote :

The attachment "enumipv6-fix.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Daniel Gnoutcheff (gnoutchd) wrote :

This bug continues to affect the updated openjdk-6-jre-headless version 6b23~pre11-0ubuntu1.11.10.2
It also affects openjdk-7-jre-headless version 7~b147-2.0-0ubuntu0.11.10.1

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-6 - 6b24-1.11.1-3ubuntu1

---------------
openjdk-6 (6b24-1.11.1-3ubuntu1) precise; urgency=low

  * Regenerate the control file.

openjdk-6 (6b24-1.11.1-3) unstable; urgency=low

  * Use NanumMyeongjo as the preferred korean font. LP: #792471.
    Closes: #655167.
  * Fix java path in jexec for multiarch builds.
  * Fix crash in java.net.NetworkInterface.getNetworkInterfaces() when
    ifr_ifindex exceeds 255. LP: #925218. S7078386.
  * Remove javaws and pluginappletviewer alternatives on upgrade from
    squeeze. Closes: #660604.
  * Use IPAfont as the preferred japanesse font. Closes: #646054.
  * Build using gcj on alpha and armel. Closes: #655750.
  * Drop build dependency on libxp-dev. Closes: #623667.

openjdk-6 (6b24-1.11.1-2ubuntu2) precise; urgency=low

  * Make sure that the nss.cfg doesn't mention any library path.
    LP: #939361, #939419.
  * Disable the accessibility wrapper, doesn't work yet. LP: #935296.
  * ARM: Inline math functions, where asm instructions exist (taken from
    the trunk).
 -- Matthias Klose <email address hidden> Mon, 27 Feb 2012 12:45:54 +0100

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-7 - 7~u3-2.1-1ubuntu3

---------------
openjdk-7 (7~u3-2.1-1ubuntu3) precise; urgency=low

  [ Matthias Klose ]
  * Use NanumMyeongjo as the preferred korean font. LP: #792471.
  * Fix crash in java.net.NetworkInterface.getNetworkInterfaces() when
    ifr_ifindex exceeds 255. LP: #925218. S7078386.
  * Use IPAfont as the preferred japanesse font. Closes: #646054.
  * Build using gcj on alpha and armel. Closes: #655750.

  [ Damien Raude-Morvan ]
  * d/patches/sparc-stubgenerator.diff: Fix FTBFS on sparc on
    stubGenerator_sparc.cpp by using explicit class typedef (Closes:
    #660871).

openjdk-7 (7~u3-2.1-1ubuntu2) precise; urgency=low

  * Make sure that the nss.cfg doesn't mention any library path.
    LP: #939361, #939419.
  * Disable the accessibility wrapper, doesn't work yet. LP: #935296.
 -- Matthias Klose <email address hidden> Mon, 27 Feb 2012 13:05:41 +0100

Changed in openjdk-6 (Ubuntu):
status: New → Fix Released
Changed in openjdk-7 (Ubuntu):
status: New → Fix Released

Nominating for SRU for Oneiric. It is a blocker for the QA Team.
This defect prevents jenkins from starting when jenkins and KVM are installed on the same host and KVM allocates tap devices.

For example, here is the current state
# cat /proc/net/if_inet6
fe80000000000000fc5400fffe339c86 685 40 20 80 vnet2
fe80000000000000fc5400fffe490f36 19 40 20 80 vnet0
fe80000000000000fc5400fffe60f51e 684 40 20 80 vnet3
fe8000000000000002238bfffe4283ca 02 40 20 80 eth0
fe80000000000000fc5400fffeaf25f1 686 40 20 80 vnet1
00000000000000000000000000000001 01 80 10 80 lo

Changed in openjdk-6 (Ubuntu Oneiric):
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openjdk-6 (Ubuntu Oneiric):
status: New → Confirmed
Changed in openjdk-7 (Ubuntu Oneiric):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-6 - 6b24-1.11.3-1ubuntu0.11.10.1

---------------
openjdk-6 (6b24-1.11.3-1ubuntu0.11.10.1) oneiric-security; urgency=low

  * Backport OpenJDK 6b24/IcedTea 1.11.3 to oneiric.
  * debian/patches/java-access-bridge-security.patch: updated
  * debian/control.zero-jre: add powerpc arch back, to get empty
    transitional package
  * debian/rules: install README.Debian for openjdk-6-jre-zero to create
    empty transitional package and create package
  * debian/README.Debian: explain openjdk-6-jre-zero went away
  * regenerate debian/control
  * add back build depends on g++-4.5 for armel/armhf

openjdk-6 (6b24-1.11.3-1ubuntu0.12.04.1) precise-security; urgency=low

  * SECURITY UPDATE: update to IcedTea 6 1.11.3
    - Security fixes:
      - S7079902, CVE-2012-1711: Refine CORBA data models
      - S7110720: Issue with vm config file loadingIssue with vm
        config file loading
      - S7143606, CVE-2012-1717: File.createTempFile should be improved
        for temporary files created by the platform.
      - S7143614, CVE-2012-1716: SynthLookAndFeel stability improvement
      - S7143617, CVE-2012-1713: Improve fontmanager layout lookup
        operations
      - S7143851, CVE-2012-1719: Improve IIOP stub and tie generation
        in RMIC
      - S7143872, CVE-2012-1718: Improve certificate extension
        processing
      - S7145239: Finetune package definition restriction
      - S7152811, CVE-2012-1723: Issues in client compiler
      - S7157609, CVE-2012-1724: Issues with loop
      - S7160677: missing else in fix for 7152811
      - S7160757, CVE-2012-1725: Problem with hotspot/runtime_classfile
    - Bug fixes:
      - PR1018: JVM fails due to SEGV during rendering some Unicode
        characters (part of 6886358)
  * Changelog, Makefile.am, aclocal.m4,
    arm_port/hotspot/src/cpu/zero/vm/asm_helper.cpp,
    patches/idresolver_fix.patch,
    patches/openjdk/6792400-Avoid_loading_Normalizer_resources.patch:
    drop inline changes, applied upstream
  * debian/patches/atk-wrapper-security.patch: updated
  * Makefile.{am,in}: don't apply patches/jtreg-LastErrorString.patch as
    it causes the testsuite runner to fail.
 -- Steve Beattie <email address hidden> Thu, 28 Jun 2012 12:14:37 -0700

Changed in openjdk-6 (Ubuntu Oneiric):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (15.8 KiB)

This bug was fixed in the package openjdk-7 - 7u9-2.3.3-0ubuntu1~11.10.1

---------------
openjdk-7 (7u9-2.3.3-0ubuntu1~11.10.1) oneiric-security; urgency=low

  * Build IcedTea7 2.3.3 for oneiric.

openjdk-7 (7u9-2.3.3-0ubuntu1) quantal-security; urgency=low

  * IcedTea7 2.3.3 release.
  * Security fixes
    - S6631398, CVE-2012-3216: FilePermission improved path checking.
    - S7093490: adjust package access in rmiregistry.
    - S7143535, CVE-2012-5068: ScriptEngine corrected permissions.
    - S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp.
    - S7158807: Revise stack management with volatile call sites.
    - S7163198, CVE-2012-5076: Tightened package accessibility.
    - S7167656, CVE-2012-5077: Multiple Seeders are being created.
    - S7169884, CVE-2012-5073: LogManager checks do not work correctly for
      sub-types.
    - S7169887, CVE-2012-5074: Tightened package accessibility.
    - S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI
      connector.
    - S7172522, CVE-2012-5072: Improve DomainCombiner checking.
    - S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC.
    - S7189103, CVE-2012-5069: Executors needs to maintain state.
    - S7189490: More improvements to DomainCombiner checking.
    - S7189567, CVE-2012-5085: java net obselete protocol.
    - S7192975, CVE-2012-5071: Issue with JMX reflection.
    - S7195194, CVE-2012-5084: Better data validation for Swing.
    - S7195549, CVE-2012-5087: Better bean object persistence.
    - S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be
      improved.
    - S7195919, CVE-2012-5079: (sl) ServiceLoader can throw CCE without
      needing to create instance.
    - S7196190, CVE-2012-5088: Improve method of handling MethodHandles.
    - S7198296, CVE-2012-5089: Refactor classloader usage.
    - S7158800: Improve storage of symbol tables.
    - S7158801: Improve VM CompileOnly option.
    - S7158804: Improve config file parsing.
    - S7198606, CVE-2012-4416: Improve VM optimization.

openjdk-7 (7u7-2.3.2a-1ubuntu1) quantal; urgency=low

  * Build a transitional icedtea-7-jre-cacao package to ease upgrades.

openjdk-7 (7u7-2.3.2a-1) experimental; urgency=low

  * Upload to experimental.

openjdk-7 (7u7-2.3.2a-0ubuntu1) quantal; urgency=low

  * Repackage the source to drop the cacao tarball (and packaging files).
  * Depend again on system provided tzdata-java and restore the zi
    symlink on upgrade. LP: #1050404.
  * libgnome2-0, libgnomevfs2-0, libgconf2-4 are not prepared for multiarch.
    Don't depend on these so that openjdk-7 can be installed as a multiarch
    package.

openjdk-7 (7u7-2.3.2-1ubuntu2) quantal; urgency=low

  * Make the avian VM a known runtime.

openjdk-7 (7u7-2.3.2-1ubuntu1) quantal; urgency=low

  * Fix 32bit hotspot build, don't set maximal heap space lower than
    minimal heap space for the docs build.
  * d/p/sane-library-paths.patch, d/p/ant-diagnostics.diff,
    d/p/fix-race-cond-print.diff, d/p/gcc-hotspot-opt-O[02].diff,
    d/p/gcc-mtune-generic.diff, d/p/openjdk-6986968.diff: Remove, not used.
  * Remove unused shark/llvm-3.0 patches.
  * d/p/zero-only-use-floating-point-if...

Changed in openjdk-7 (Ubuntu Oneiric):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers