-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8329961: Buffer overflow in os::Linux::kernel_version #18697
Conversation
👋 Welcome back jsjolen! A progress list of the required criteria for merging this PR into |
@jdksjolen This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 507 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
@jdksjolen The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
out of bounds of the string
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks you!
Yes it should be backported to jdk21u-dev and jdk22u.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, wouldn't sscanf not be simpler and safer? No need to factor out the parser. IMHO no need to even add a gtest since parsing would be really simple and not loop based. E.g.
if (sscanf(release, "%d.%d", &major, &minor) != 2) {
log_warning blabla
}
As bonus, you avoid accidental conversion from hex numbers and such that strotol provides and that we don't really want here.
Okay scratch the last sentence, since you manually specify the base, this would not be an issue. |
Hi, according to C11 standard (and my man pages) it is UB to call the scanf-family of functions with "invalid" data and Another thing: We shouldn't call |
I don't follow that. uname() is POSIX portable, while /proc/sys/kernel/osrelease is Linux specific. |
Can you point me to the relevant man page? If that were not to work, it would drastically limit the usefulness of scanf, and a lot of code in hotspot would be UB. My manpage:
Matching failures are part of the API.
I agree with @robehn, uname is Posix and portable. May also be cached inside glibc, saving us a proc fs read. |
See BUGS section: https://man7.org/linux/man-pages/man3/sscanf.3.html OK, I'm probably too paranoid regarding |
And on top of that: If we don't trust |
Okay that. Note that deprecation of numerical conversions has been hugely controversial, and it was a step taken by glibc manpage maintainers. This is just about numerical overflow. E.g. 3333333333333333333333333333333.333333333333333333333333333333 will overflow int range, and return true. Are we honestly concerned about this here? By avoiding sscanf, we swap very readable and simple-hence-safe code with manual parsing, which is both unreadable and, as this issue shows, in practice a lot unsafer than had we used sscanf to begin with.
If you are paranoid, do this:
then set v.c to 0 before calling uname. |
Aha, it's just overflow issues? Well, then let's just use |
I think it is required to be inline, though. See https://pubs.opengroup.org/onlinepubs/009695399/basedefs/sys/utsname.h.html , definition is to be an array, not a pointer:
It has to. User address space is ending at 128TB usually. :-) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
neat
Cool! Thank you for the reviews. /integrate |
Going to push as commit 279ed0d.
Your commit was automatically rebased without conflicts. |
@jdksjolen Pushed as commit 279ed0d. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
@jdksjolen are you backporting this? |
@robehn I've got PRs for it in testing: |
@robehn, thanks. I forgot about doing that. Good for me to have a try at doing that, but I'll need sponsorship. /backport jdk21u-dev |
@jdksjolen the backport was successfully created on the branch backport-jdksjolen-279ed0dd in my personal fork of openjdk/jdk21u-dev. To create a pull request with this backport targeting openjdk/jdk21u-dev:master, just click the following link: The title of the pull request is automatically filled in correctly and below you find a suggestion for the pull request body:
If you need to update the source branch of the pull then run the following commands in a local clone of your personal fork of openjdk/jdk21u-dev:
|
@jdksjolen the backport was successfully created on the branch backport-jdksjolen-279ed0dd in my personal fork of openjdk/jdk22u. To create a pull request with this backport targeting openjdk/jdk22u:master, just click the following link: The title of the pull request is automatically filled in correctly and below you find a suggestion for the pull request body:
If you need to update the source branch of the pull then run the following commands in a local clone of your personal fork of openjdk/jdk22u:
|
Hi,
There was a bug in the original implementation of
os::Linux::kernel_version
which this PR fixes. Namely, the comparisonwalker != nullptr
is wrong, the intended comparison was*walker != '\0'
orwalker[0] != '\0'
. This means that if a bad/unexpected version string is encountered thewalker
would read past the string.We fix this by applying the correct comparison and adding some basic tests.
@luhenry , @robehn. You attempted to create automatic backport branches on this in the original PR, can you check whether this fix also needs to be backported to the mentioned versions? The original PR link is this: #17889
Progress
Issue
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/18697/head:pull/18697
$ git checkout pull/18697
Update a local copy of the PR:
$ git checkout pull/18697
$ git pull https://git.openjdk.org/jdk.git pull/18697/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 18697
View PR using the GUI difftool:
$ git pr show -t 18697
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/18697.diff
Webrev
Link to Webrev Comment