JVM on PPC64 LE crashes due to an illegal instruction in JITed code

Bug #1594393 reported by bugproxy on 2016-06-20
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openjdk-8 (Ubuntu)
High
Tiago Stürmer Daitx
Xenial
High
Tiago Stürmer Daitx

Bug Description

== Comment: #0 - Gustavo Bueno Romero <email address hidden> - 2016-06-17 15:06:02 ==
---Problem Description---
JVM on PPC64 LE crashes due to an illegal instruction in JITed code. The root cause is that the unaligned 4-byte displacement in instructions like LWA (Load Word Algebraic, a DS-from instruction) is not handled correctly and yields an illegal instruction inside the JITed method

Contact Information = <email address hidden>

---uname output---
Linux hostname 4.4.0-24-generic #43-Ubuntu SMP Wed Jun 8 19:25:36 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux

Machine Type = Not relevant

---Debugger---
A debugger is not configured

---Steps to Reproduce---
 Please find a test case at: https://bugs.openjdk.java.net/browse/JDK-8158260

Userspace tool common name: javac, java

The userspace tool has the following bit modes: 64-bit

Userspace rpm: openjdk-8-jdk:ppc64el 8u91-b14-0ubuntu4~16.04.1

Userspace tool obtained from project website: na

*Additional Instructions for <email address hidden>:
-Attach ltrace and strace of userspace application.

== Comment: #1 - Gustavo Bueno Romero <email address hidden> - 2016-06-17 15:06:43 ==
JVM on PPC64 LE crashes due to an illegal instruction in JITed code. The root cause is that the unaligned 4-byte displacement in instructions like LWA (Load Word Algebraic, a DS-from instruction) is not handled correctly and yields an illegal instruction inside the JITed method [1]. The patch is already available upstream on OpenJDK 9 [2] and applying it to jdk8u is trivial [3].

Could you please proceed to apply the patch [2] (PPC-only code is affect) in order to fix the issue described?

Thank you.

[1] https://bugs.openjdk.java.net/browse/JDK-8158260
[2]http://hg.openjdk.java.net/jdk9/hs-comp/hotspot/rev/5f3687f2143c
[3] http://mail.openjdk.java.net/pipermail/ppc-aix-port-dev/2016-June/002569.html

bugproxy (bugproxy) on 2016-06-20
tags: added: architecture-ppc64le bugnameltc-142797 severity-high targetmilestone-inin---
Changed in ubuntu:
assignee: nobody → Taco Screen team (taco-screen-team)
Gary Gaydos (gmgaydos) on 2016-06-20
affects: ubuntu → openjdk-8 (Ubuntu)
Steve Langasek (vorlon) on 2016-06-20
Changed in openjdk-8 (Ubuntu):
assignee: Taco Screen team (taco-screen-team) → Tiago Stürmer Daitx (tdaitx)
status: New → Triaged
importance: Undecided → High
Tiago Stürmer Daitx (tdaitx) wrote :
tags: added: patch

The attachment "debdiff containing JDK-8158260 fix for yakkety" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Tiago Stürmer Daitx (tdaitx) wrote :

Yakkety build (+ Wily and Xenial backports) with the proper patches applied are available at my PPA: https://launchpad.net/~tdaitx/+archive/ubuntu/openjdk/+packages

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-8 - 8u91-b14-3

---------------
openjdk-8 (8u91-b14-3) unstable; urgency=medium

  * Fix an issue with libatk-wrapper (Samuel Thibault). Closes: #827795.
  * Update the KFreeBSD support patch (Steven Chamberlain). Closes: #825514.
  * debian/patches/hotspot-JDK-8158260-ppc64el.patch: JDK-8158260, PPC64:
    unaligned Unsafe.getInt can lead to the generation of illegal
    instructions (Tiago Stürmer Daitx). LP: #1594393.

 -- Matthias Klose <email address hidden> Fri, 24 Jun 2016 14:49:34 +0200

Changed in openjdk-8 (Ubuntu):
status: Triaged → Fix Released
Gustavo Romero (gromero) wrote :

Thanks a lot for fixing it on Yakkety Yak.

Please, could you also fix it on 16.04 LTS? Should I open a new bug to address this issue on 16.04 LTS?

Thank you.

Steve Langasek (vorlon) on 2016-07-07
Changed in openjdk-8 (Ubuntu Xenial):
assignee: nobody → Tiago Stürmer Daitx (tdaitx)
importance: Undecided → High
Launchpad Janitor (janitor) wrote :
Download full text (4.3 KiB)

This bug was fixed in the package openjdk-8 - 8u91-b14-3ubuntu1~16.04.1

---------------
openjdk-8 (8u91-b14-3ubuntu1~16.04.1) xenial-security; urgency=medium

  * Backport to Ubuntu 16.04.

openjdk-8 (8u91-b14-3ubuntu1) yakkety; urgency=medium

  * SECURITY UPDATE: IIOP Input Stream Hooking
    - d/p/corba-8079718.patch: S8079718, CVE-2016-3458: defaultReadObject is
      not forbidden in readObject in subclasses of InputStreamHook which
      provides leverage to deserialize malicious objects if a reference to the
      input stream can be obtained separately.
  * SECURITY UPDATE: Complete name checking
    - d/p/jaxp-8148872.patch: S8148872, CVE-2016-3500: In some cases raw names
      in XML data are not checked for length limits allowing for DoS attacks.
  * SECURITY UPDATE: Better delineation of XML processing
    - d/p/jaxp-8149962.patch: S8149962, CVE-2016-3508: Denial of service
      measures do not take newline characters into account. This can be used to
      conduct attacks like the billion laughs DoS.
  * SECURITY UPDATE: Coded byte streams
    - d/p/hotspot-8152479.patch: S8152479, CVE-2016-3550: A fuzzed class file
      triggers an integer overflow in array access.
  * SECURITY UPDATE: Clean up lookup visibility
    - d/p/jdk-8154475.patch: S8154475, CVE-2016-3587: A fast path change
      allowed access to MH.invokeBasic via the public lookup object. MH.iB does
      not do full type checking which can be used to create type confusion.
  * SECURITY UPDATE: Bolster bytecode verification
    - d/p/hotspot-8155981.patch: S8155981, CVE-2016-3606: The bytecode
      verifier checks that any classes' <init> method calls super.<init> before
      returning. There is a way to bypass this requirement which allows
      creating subclasses of classes that are not intended to be extended.
  * SECURITY UPDATE: Persistent Parameter Processing
    - d/p/jdk-8155985.patch: S8155985, CVE-2016-3598: TOCTOU issue with types
      List passed into dropArguments() which can be used to cause type
      confusion.
  * SECURITY UPDATE: Additional method handle validation
    - d/p/jdk-8158571.patch: S8158571, CVE-2016-3610: MHs.filterReturnValue
      does not check the filter parameter list size. The single expected
      parameter is put in the last parameter position for the filter MH
      allowing for type confusion.
  * SECURITY UPDATE: Enforce GCM limits
    - d/p/jdk-8146514.patch: S8146514: In GCM the counter should not be allowed
      to wrap (per the spec), since that plus exposing the encrypted data could
      lead to leaking information.
  * SECURITY UPDATE: Construction of static protection domains
    - d/p/jdk-8147771.patch: S8147771: SubjectDomainCombiner does not honor the
      staticPermission field and will create ProtectionDomains that vary with
      the system policy which may allow unexpected permission sets.
  * SECURITY UPDATE: Share Class Data
    - d/p/hotspot-8150752.patch: S8150752: Additional verification of AppCDS
      archives is required to prevent an attacker from creating a type
      confusion situation.
  * SECURITY UPDATE: Enforce update ordering
    - d/p/jdk-8149070.patch: S8149070: If the GCM methods ...

Read more...

Changed in openjdk-8 (Ubuntu Xenial):
status: New → Fix Released
bugproxy (bugproxy) on 2016-07-27
tags: added: targetmilestone-inin1610
removed: targetmilestone-inin---
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers