-
Bug
-
Resolution: Fixed
-
P4
-
8, 9
-
b77
-
x86
-
solaris_11
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8136055 | emb-9 | Brian Burkhalter | P4 | Resolved | Fixed | team |
FULL PRODUCT VERSION :
$ /java/re/jdk/9/latest/binaries/solaris-x64/bin/java -version
java version "1.9.0-ea"
Java(TM) SE Runtime Environment (build 1.9.0-ea-b74)
Java HotSpot(TM) 64-Bit Server VM (build 1.9.0-ea-b74, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
$ uname -a
SunOS telling 5.11 11.2 i86pc i386 i86pc
A DESCRIPTION OF THE PROBLEM :
In http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/5e0789110c5f/src/java.base/unix/native/libnio/ch/Net.c,
Java_sun_nio_ch_Net_poll(JNIEnv* env, jclass this, jobject fdo, jint events, jlong timeout)
passes the "timeout" argument to the C library function
int poll(struct pollfd * fds, nfds_t nfds, int timeout)
without checking if the value of "timeout" is in the range of a C int, or doing something useful if it is not.
This *might* be okay, because this "poll" method is internal, and it might be that only int values are passed to it. That *seems* to be the case in, for example http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/5e0789110c5f/src/java.base/share/classes/sun/nio/ch/SocketAdaptor.java, where the instance variable "timeout" is an int, though when it is passed to SocketChannel.poll() it it first widened to a long, which is safe. I have not checked the other callers of the Java_sun_nio_ch_Net_poll method.
REPRODUCIBILITY :
This bug can be reproduced rarely.
$ /java/re/jdk/9/latest/binaries/solaris-x64/bin/java -version
java version "1.9.0-ea"
Java(TM) SE Runtime Environment (build 1.9.0-ea-b74)
Java HotSpot(TM) 64-Bit Server VM (build 1.9.0-ea-b74, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
$ uname -a
SunOS telling 5.11 11.2 i86pc i386 i86pc
A DESCRIPTION OF THE PROBLEM :
In http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/5e0789110c5f/src/java.base/unix/native/libnio/ch/Net.c,
Java_sun_nio_ch_Net_poll(JNIEnv* env, jclass this, jobject fdo, jint events, jlong timeout)
passes the "timeout" argument to the C library function
int poll(struct pollfd * fds, nfds_t nfds, int timeout)
without checking if the value of "timeout" is in the range of a C int, or doing something useful if it is not.
This *might* be okay, because this "poll" method is internal, and it might be that only int values are passed to it. That *seems* to be the case in, for example http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/5e0789110c5f/src/java.base/share/classes/sun/nio/ch/SocketAdaptor.java, where the instance variable "timeout" is an int, though when it is passed to SocketChannel.poll() it it first widened to a long, which is safe. I have not checked the other callers of the Java_sun_nio_ch_Net_poll method.
REPRODUCIBILITY :
This bug can be reproduced rarely.
- backported by
-
JDK-8136055 Java_sun_nio_ch_Net_poll passes a long to an int
-
- Resolved
-