8334169: Long arguments of attach operation are silently truncated on Windows

Alex Menkov · Alex Menkov · commit a60608e7a35a · 2024-07-16T18:10:47.000Z
Reviewed-by: sspitsyn, cjplummer
diff --git a/src/jdk.attach/windows/native/libattach/VirtualMachineImpl.c b/src/jdk.attach/windows/native/libattach/VirtualMachineImpl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -54,8 +54,8 @@ typedef jint (WINAPI* EnqueueOperationFunc)
 static HANDLE
 doPrivilegedOpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);
 
-/* convert jstring to C string */
-static void jstring_to_cstring(JNIEnv* env, jstring jstr, char* cstr, int len);
+/* Converts jstring to C string, returns JNI_FALSE if the string has been truncated. */
+static jboolean jstring_to_cstring(JNIEnv* env, jstring jstr, char* cstr, size_t cstr_buf_size);
 
 
 /*
@@ -75,9 +75,9 @@ typedef struct {
    char jvmLib[MAX_LIBNAME_LENGTH];         /* "jvm.dll" */
    char func1[MAX_FUNC_LENGTH];
    char func2[MAX_FUNC_LENGTH];
-   char cmd[MAX_CMD_LENGTH];                /* "load", "dump", ...      */
-   char arg[MAX_ARGS][MAX_ARG_LENGTH];      /* arguments to command     */
-   char pipename[MAX_PIPE_NAME_LENGTH];
+   char cmd[MAX_CMD_LENGTH + 1];            /* "load", "dump", ...      */
+   char arg[MAX_ARGS][MAX_ARG_LENGTH + 1];  /* arguments to command     */
+   char pipename[MAX_PIPE_NAME_LENGTH + 1];
 } DataBlock;
 
 /*
@@ -377,7 +377,6 @@ JNIEXPORT jint JNICALL Java_sun_tools_attach_VirtualMachineImpl_readPipe
     return (jint)nread;
 }
 
-
 /*
  * Class:     sun_tools_attach_VirtualMachineImpl
  * Method:    enqueue
@@ -410,7 +409,11 @@ JNIEXPORT void JNICALL Java_sun_tools_attach_VirtualMachineImpl_enqueue
     /*
      * Command and arguments
      */
-    jstring_to_cstring(env, cmd, data.cmd, MAX_CMD_LENGTH);
+    if (!jstring_to_cstring(env, cmd, data.cmd, sizeof(data.cmd))) {
+        JNU_ThrowByName(env, "com/sun/tools/attach/AttachOperationFailedException",
+                        "command is too long");
+        return;
+    }
     argsLen = (*env)->GetArrayLength(env, args);
 
     if (argsLen > 0) {
@@ -423,7 +426,11 @@ JNIEXPORT void JNICALL Java_sun_tools_attach_VirtualMachineImpl_enqueue
             if (obj == NULL) {
                 data.arg[i][0] = '\0';
             } else {
-                jstring_to_cstring(env, obj, data.arg[i], MAX_ARG_LENGTH);
+                if (!jstring_to_cstring(env, obj, data.arg[i], sizeof(data.arg[i]))) {
+                    JNU_ThrowByName(env, "com/sun/tools/attach/AttachOperationFailedException",
+                                    "argument is too long");
+                    return;
+                }
             }
             if ((*env)->ExceptionOccurred(env)) return;
         }
@@ -433,7 +440,11 @@ JNIEXPORT void JNICALL Java_sun_tools_attach_VirtualMachineImpl_enqueue
     }
 
     /* pipe name */
-    jstring_to_cstring(env, pipename, data.pipename, MAX_PIPE_NAME_LENGTH);
+    if (!jstring_to_cstring(env, pipename, data.pipename, sizeof(data.pipename))) {
+        JNU_ThrowByName(env, "com/sun/tools/attach/AttachOperationFailedException",
+                        "pipe name is too long");
+        return;
+    }
 
     /*
      * Allocate memory in target process for data and code stub
@@ -615,21 +626,28 @@ doPrivilegedOpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProc
     return hProcess;
 }
 
-/* convert jstring to C string */
-static void jstring_to_cstring(JNIEnv* env, jstring jstr, char* cstr, int len) {
+/* Converts jstring to C string, returns JNI_FALSE if the string has been truncated. */
+static jboolean jstring_to_cstring(JNIEnv* env, jstring jstr, char* cstr, size_t cstr_buf_size) {
     jboolean isCopy;
     const char* str;
+    jboolean result = JNI_TRUE;
 
     if (jstr == NULL) {
         cstr[0] = '\0';
     } else {
         str = JNU_GetStringPlatformChars(env, jstr, &isCopy);
-        if ((*env)->ExceptionOccurred(env)) return;
+        if ((*env)->ExceptionOccurred(env)) {
+            return result;
+        }
+        if (strlen(str) >= cstr_buf_size) {
+            result = JNI_FALSE;
+        }
 
-        strncpy(cstr, str, len);
-        cstr[len-1] = '\0';
+        strncpy(cstr, str, cstr_buf_size);
+        cstr[cstr_buf_size - 1] = '\0';
         if (isCopy) {
             JNU_ReleaseStringPlatformChars(env, jstr, str);
         }
     }
+    return result;
 }
diff --git a/test/hotspot/jtreg/serviceability/attach/LongArgTest.java b/test/hotspot/jtreg/serviceability/attach/LongArgTest.java
@@ -0,0 +1,179 @@
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @summary Tests that long arguments of attach operation are not truncated
+ * @bug 8334168
+ * @library /test/lib
+ * @modules jdk.attach/sun.tools.attach
+ * @run main LongArgTest
+ */
+
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
+import java.io.InputStream;
+import java.io.IOException;
+
+import com.sun.tools.attach.VirtualMachine;
+import sun.tools.attach.HotSpotVirtualMachine;
+
+import jdk.test.lib.apps.LingeredApp;
+
+public class LongArgTest {
+
+    // current restriction: max arg size is 1024
+    private static int MAX_ARG_SIZE = 1024;
+
+    public static void main(String[] args) throws Exception {
+        LingeredApp app = null;
+        try {
+            app = LingeredApp.startApp();
+
+            // sanity
+            test(app)
+                .mustSucceed()
+                .run();
+
+            test(app)
+                .valueLength(MAX_ARG_SIZE)
+                .mustSucceed()
+                .run();
+
+            test(app)
+                .valueLength(MAX_ARG_SIZE + 1)
+                .run();
+
+            // more than max args (3) with MAX_ARG_SIZE
+            test(app)
+                .valueLength(3 * MAX_ARG_SIZE + 1)
+                .run();
+
+        } finally {
+            LingeredApp.stopApp(app);
+        }
+    }
+
+    private static Test test(LingeredApp app) {
+        return new Test(app);
+    }
+
+    // For simplicity, the test uses internal HotSpotVirtualMachine,
+    // sets/gets "HeapDumpPath" flag value (string flag, not validated by JVM).
+    private static class Test {
+        private LingeredApp app;
+        private String flagName = "HeapDumpPath";
+        private String flagValue = generateValue(5);
+        private boolean setFlagMustSucceed = false;
+
+        Test(LingeredApp app) {
+            this.app = app;
+        }
+
+        Test valueLength(int len) {
+            flagValue = generateValue(len);
+            return this;
+        }
+
+        Test mustSucceed() {
+            setFlagMustSucceed = true;
+            return this;
+        }
+
+        void run() throws Exception {
+            System.out.println("======== Start ========");
+            System.out.println("Arg size = " + flagValue.length());
+
+            HotSpotVirtualMachine vm = (HotSpotVirtualMachine)VirtualMachine.attach(String.valueOf(app.getPid()));
+
+            if (setFlag(vm)) {
+                String actualValue = getFlag(vm);
+
+                if (!flagValue.equals(actualValue)) {
+                    String msg = "Actual value is different: ";
+                    if (actualValue == null) {
+                        msg += "null";
+                    } else if (flagValue.startsWith(actualValue)) {
+                        msg += "truncated from " + flagValue.length() + " to " + actualValue.length();
+                    } else {
+                        msg += actualValue + ", expected value: " + flagValue;
+                    }
+                    System.out.println(msg);
+                    vm.detach();
+                    throw new RuntimeException(msg);
+                } else {
+                    System.out.println("Actual value matches: " + actualValue);
+                }
+            }
+
+            vm.detach();
+
+            System.out.println("======== End ========");
+            System.out.println();
+        }
+
+        // Sets the flag value, return true on success.
+        private boolean setFlag(HotSpotVirtualMachine vm) throws Exception {
+            BufferedReader replyReader = null;
+            try {
+                replyReader = new BufferedReader(new InputStreamReader(
+                    vm.setFlag(flagName, flagValue)));
+            } catch (IOException ex) {
+                if (setFlagMustSucceed) {
+                    throw ex;
+                }
+                System.out.println("OK: setFlag() thrown exception:");
+                ex.printStackTrace(System.out);
+                return false;
+            }
+
+            String line;
+            while ((line = replyReader.readLine()) != null) {
+                System.out.println("setFlag: " + line);
+            }
+            replyReader.close();
+            return true;
+        }
+
+        private String getFlag(HotSpotVirtualMachine vm) throws Exception {
+            // Then read and make sure we get back the same value.
+            BufferedReader replyReader = new BufferedReader(new InputStreamReader(vm.printFlag(flagName)));
+
+            String prefix = "-XX:" + flagName + "=";
+            String value = null;
+            String line;
+            while((line = replyReader.readLine()) != null) {
+                System.out.println("getFlag: " + line);
+                if (line.startsWith(prefix)) {
+                    value = line.substring(prefix.length());
+                }
+            }
+            return value;
+        }
+
+        private String generateValue(int len) {
+            return "X" + "A".repeat(len - 2) + "X";
+        }
+    }
+
+}
