Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8144197

Possible use after free in Arguments::add_property function

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P3 P3
    • 9
    • 9
    • hotspot
    • b83
    • 9
    • b103

      JDK-8132725 "Memory leak in Arguments::add_property function" fix memory leak in Arguments::add_property function in hotspot/src/share/vm/runtime/arguments.cpp module, but introduce theoretical possibility of use after free of _java_command, because _java_command used in reporting OOM errors.
      Here a possible scenario:
      1) "sun.java.command" property is defined more than once.
      2) JVM can not allocate memory for new java command when processing second(or later) "sun.java.command" property

      Code example(hotspot/src/share/vm/runtime/arguments.cpp module):
      bool Arguments::add_property(const char* prop) {
      ...
          if (strcmp(key, "sun.java.command") == 0) {
            if (_java_command != NULL) {
              os::free(_java_command);
            }
            _java_command = os::strdup_check_oom(value, mtInternal);
      ...

      Previous _java_command is freed before allocating new _java_command. os::strdup_check_oom not return in case of the OOM and in this case _java_command will point to the freed memory and _java_command will be used in OOM report.

      The fix is simple: free previous _java_command only after allocating new _java_command.
      I.e.:
          if (strcmp(key, "sun.java.command") == 0) {
            const char* _java_command_old = _java_command;
            _java_command = os::strdup_check_oom(value, mtInternal);
            if (_java_command_old != NULL) {
              os::free(_java_command_old);
            }

      For safety the same can be done for _java_vendor_url_bug, i.e. free old _java_vendor_url_bug only after allocating new _java_vendor_url_bug.

            ddmitriev Dmitry Dmitriev
            ddmitriev Dmitry Dmitriev
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: