-
Bug
-
Resolution: Fixed
-
P3
-
9
-
b107
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8295157 | openjdk8u362 | Paul Hohensee | P3 | Resolved | Fixed | b01 |
get_datetime_string() can access memory outside of allocated buffer:
http://hg.openjdk.java.net/jdk9/dev/hotspot/file/c5f55130b1b6/src/share/vm/utilities/ostream.cpp#l367
...
char* get_datetime_string(char *buf, size_t len) {
os::local_time_string(buf, len);
int i = (int)strlen(buf);
while (i-- >= 0) {
if (buf[i] == ' ') buf[i] = '_';
else if (buf[i] == ':') buf[i] = '-';
}
return buf;
}
...
"i--" modifies the variable after the current value was read. When "i" is equal to 0 in the "while" statement, then "i" becomes -1 i in loop's body. And as a result, it accesses one byte before "buf". If "buf[-1]" is a space or a colon, then it overrides it.
Currently get_datetime_string() method is only called from make_log_name() method:
http://hg.openjdk.java.net/jdk9/dev/hotspot/file/c5f55130b1b6/src/share/vm/utilities/ostream.cpp#l480
...
static const char* make_log_name(const char* log_name, const char* force_directory) {
char timestr[32];
get_datetime_string(timestr, sizeof(timestr));
return make_log_name_internal(log_name, force_directory, os::current_process_id(),
timestr);
}
...
Here is disassembled make_log_name(char const*, char const*) method:
(gdb) disas
Dump of assembler code for function make_log_name(char const*, char const*):
0x00007ffff69f8c32 <+0>: push %rbp
0x00007ffff69f8c33 <+1>: mov %rsp,%rbp
0x00007ffff69f8c36 <+4>: sub $0x30,%rsp
0x00007ffff69f8c3a <+8>: mov %rdi,-0x28(%rbp)
0x00007ffff69f8c3e <+12>: mov %rsi,-0x30(%rbp)
0x00007ffff69f8c42 <+16>: lea -0x20(%rbp),%rax
0x00007ffff69f8c46 <+20>: mov $0x20,%esi
0x00007ffff69f8c4b <+25>: mov %rax,%rdi
0x00007ffff69f8c4e <+28>: callq 0x7ffff69f872e <get_datetime_string(char*, unsigned long)>
=> 0x00007ffff69f8c53 <+33>: callq 0x7ffff69e89e8 <os::current_process_id()>
0x00007ffff69f8c58 <+38>: mov %eax,%edi
0x00007ffff69f8c5a <+40>: lea -0x20(%rbp),%rdx
0x00007ffff69f8c5e <+44>: mov -0x30(%rbp),%rsi
0x00007ffff69f8c62 <+48>: mov -0x28(%rbp),%rax
0x00007ffff69f8c66 <+52>: mov %rdx,%rcx
0x00007ffff69f8c69 <+55>: mov %edi,%edx
0x00007ffff69f8c6b <+57>: mov %rax,%rdi
0x00007ffff69f8c6e <+60>: callq 0x7ffff69f87c4 <make_log_name_internal(char const*, char const*, int, char const*)>
0x00007ffff69f8c73 <+65>: leaveq
0x00007ffff69f8c74 <+66>: retq
End of assembler dump.
"timestr" buffer is allocated on stack at -0x20(%rbp). But also there are two slots at -0x28(%rbp) and -0x30(%rbp) which contain parameters passed to make_log_name() via %rdi and %rsi. The value at -0x28(%rbp) will be used to pass a log name to make_log_name_internal().
get_datetime_string() can corrupt one byte at -0x28(%rbp) in case it ends with 0x20 (ASCII symbol of a space) or 0x3a (ASCII symbol of a colon). In this case, make_log_name_internal() would use a wrong address.
It looks like that -0x28(%rbp) contains an address of a buffer in heap:
(gdb) x/xg $rbp-0x28
0x7ffff7fceb88: 0x00007ffff000bbf0
(gdb) x/s 0x00007ffff000bbf0
0x7ffff000bbf0: "./testGC.log"
(gdb) p $rsp
$1 = (void *) 0x7ffff7fceb80
I am not sure if it is possible that -0x28(%rbp) ends with 0x20 or 0x3a because buffer addresses are aligned. I couldn't reproduce a crash here.
So this looks like a hypothetical memory corruption which can lead to a crash or undefined behavior, but it would be better to fix it.
The following simple patch fixes the problem:
diff -r d5239fc1b697 src/share/vm/utilities/ostream.cpp
--- a/src/share/vm/utilities/ostream.cpp Thu Jan 14 12:03:32 2016 -0800
+++ b/src/share/vm/utilities/ostream.cpp Thu Jan 21 11:20:37 2016 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -376,7 +376,7 @@
char* get_datetime_string(char *buf, size_t len) {
os::local_time_string(buf, len);
int i = (int)strlen(buf);
- while (i-- >= 0) {
+ while (--i >= 0) {
if (buf[i] == ' ') buf[i] = '_';
else if (buf[i] == ':') buf[i] = '-';
}
http://hg.openjdk.java.net/jdk9/dev/hotspot/file/c5f55130b1b6/src/share/vm/utilities/ostream.cpp#l367
...
char* get_datetime_string(char *buf, size_t len) {
os::local_time_string(buf, len);
int i = (int)strlen(buf);
while (i-- >= 0) {
if (buf[i] == ' ') buf[i] = '_';
else if (buf[i] == ':') buf[i] = '-';
}
return buf;
}
...
"i--" modifies the variable after the current value was read. When "i" is equal to 0 in the "while" statement, then "i" becomes -1 i in loop's body. And as a result, it accesses one byte before "buf". If "buf[-1]" is a space or a colon, then it overrides it.
Currently get_datetime_string() method is only called from make_log_name() method:
http://hg.openjdk.java.net/jdk9/dev/hotspot/file/c5f55130b1b6/src/share/vm/utilities/ostream.cpp#l480
...
static const char* make_log_name(const char* log_name, const char* force_directory) {
char timestr[32];
get_datetime_string(timestr, sizeof(timestr));
return make_log_name_internal(log_name, force_directory, os::current_process_id(),
timestr);
}
...
Here is disassembled make_log_name(char const*, char const*) method:
(gdb) disas
Dump of assembler code for function make_log_name(char const*, char const*):
0x00007ffff69f8c32 <+0>: push %rbp
0x00007ffff69f8c33 <+1>: mov %rsp,%rbp
0x00007ffff69f8c36 <+4>: sub $0x30,%rsp
0x00007ffff69f8c3a <+8>: mov %rdi,-0x28(%rbp)
0x00007ffff69f8c3e <+12>: mov %rsi,-0x30(%rbp)
0x00007ffff69f8c42 <+16>: lea -0x20(%rbp),%rax
0x00007ffff69f8c46 <+20>: mov $0x20,%esi
0x00007ffff69f8c4b <+25>: mov %rax,%rdi
0x00007ffff69f8c4e <+28>: callq 0x7ffff69f872e <get_datetime_string(char*, unsigned long)>
=> 0x00007ffff69f8c53 <+33>: callq 0x7ffff69e89e8 <os::current_process_id()>
0x00007ffff69f8c58 <+38>: mov %eax,%edi
0x00007ffff69f8c5a <+40>: lea -0x20(%rbp),%rdx
0x00007ffff69f8c5e <+44>: mov -0x30(%rbp),%rsi
0x00007ffff69f8c62 <+48>: mov -0x28(%rbp),%rax
0x00007ffff69f8c66 <+52>: mov %rdx,%rcx
0x00007ffff69f8c69 <+55>: mov %edi,%edx
0x00007ffff69f8c6b <+57>: mov %rax,%rdi
0x00007ffff69f8c6e <+60>: callq 0x7ffff69f87c4 <make_log_name_internal(char const*, char const*, int, char const*)>
0x00007ffff69f8c73 <+65>: leaveq
0x00007ffff69f8c74 <+66>: retq
End of assembler dump.
"timestr" buffer is allocated on stack at -0x20(%rbp). But also there are two slots at -0x28(%rbp) and -0x30(%rbp) which contain parameters passed to make_log_name() via %rdi and %rsi. The value at -0x28(%rbp) will be used to pass a log name to make_log_name_internal().
get_datetime_string() can corrupt one byte at -0x28(%rbp) in case it ends with 0x20 (ASCII symbol of a space) or 0x3a (ASCII symbol of a colon). In this case, make_log_name_internal() would use a wrong address.
It looks like that -0x28(%rbp) contains an address of a buffer in heap:
(gdb) x/xg $rbp-0x28
0x7ffff7fceb88: 0x00007ffff000bbf0
(gdb) x/s 0x00007ffff000bbf0
0x7ffff000bbf0: "./testGC.log"
(gdb) p $rsp
$1 = (void *) 0x7ffff7fceb80
I am not sure if it is possible that -0x28(%rbp) ends with 0x20 or 0x3a because buffer addresses are aligned. I couldn't reproduce a crash here.
So this looks like a hypothetical memory corruption which can lead to a crash or undefined behavior, but it would be better to fix it.
The following simple patch fixes the problem:
diff -r d5239fc1b697 src/share/vm/utilities/ostream.cpp
--- a/src/share/vm/utilities/ostream.cpp Thu Jan 14 12:03:32 2016 -0800
+++ b/src/share/vm/utilities/ostream.cpp Thu Jan 21 11:20:37 2016 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -376,7 +376,7 @@
char* get_datetime_string(char *buf, size_t len) {
os::local_time_string(buf, len);
int i = (int)strlen(buf);
- while (i-- >= 0) {
+ while (--i >= 0) {
if (buf[i] == ' ') buf[i] = '_';
else if (buf[i] == ':') buf[i] = '-';
}
- backported by
-
JDK-8295157 One byte may be corrupted by get_datetime_string()
-
- Resolved
-
