From 852c26c02416d9e9056136a51f2082495540c9e6 Mon Sep 17 00:00:00 2001 From: Aleksey Shipilev Date: Mon, 19 Jun 2023 11:57:56 +0000 Subject: [PATCH] 8279545: Buffer overrun in reverse_words of sharedRuntime_x86_64.cpp:3517 Backport-of: 35734ad0805b9ecaf6eb72a4b1513b8de53ed72c --- src/hotspot/cpu/ppc/sharedRuntime_ppc.cpp | 8 +++++--- src/hotspot/cpu/s390/sharedRuntime_s390.cpp | 8 +++++--- src/hotspot/cpu/x86/sharedRuntime_x86_64.cpp | 8 +++++--- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/src/hotspot/cpu/ppc/sharedRuntime_ppc.cpp b/src/hotspot/cpu/ppc/sharedRuntime_ppc.cpp index 94869ae7ca2..b53a4ba3ab3 100644 --- a/src/hotspot/cpu/ppc/sharedRuntime_ppc.cpp +++ b/src/hotspot/cpu/ppc/sharedRuntime_ppc.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2012, 2021 SAP SE. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * @@ -3390,8 +3390,9 @@ void SharedRuntime::montgomery_multiply(jint *a_ints, jint *b_ints, jint *n_ints // Make very sure we don't use so much space that the stack might // overflow. 512 jints corresponds to an 16384-bit integer and // will use here a total of 8k bytes of stack space. + int divisor = sizeof(unsigned long) * 4; + guarantee(longwords <= 8192 / divisor, "must be"); int total_allocation = longwords * sizeof (unsigned long) * 4; - guarantee(total_allocation <= 8192, "must be"); unsigned long *scratch = (unsigned long *)alloca(total_allocation); // Local scratch arrays @@ -3420,8 +3421,9 @@ void SharedRuntime::montgomery_square(jint *a_ints, jint *n_ints, // Make very sure we don't use so much space that the stack might // overflow. 512 jints corresponds to an 16384-bit integer and // will use here a total of 6k bytes of stack space. + int divisor = sizeof(unsigned long) * 3; + guarantee(longwords <= (8192 / divisor), "must be"); int total_allocation = longwords * sizeof (unsigned long) * 3; - guarantee(total_allocation <= 8192, "must be"); unsigned long *scratch = (unsigned long *)alloca(total_allocation); // Local scratch arrays diff --git a/src/hotspot/cpu/s390/sharedRuntime_s390.cpp b/src/hotspot/cpu/s390/sharedRuntime_s390.cpp index 95facb3a2ef..1c6c1713c77 100644 --- a/src/hotspot/cpu/s390/sharedRuntime_s390.cpp +++ b/src/hotspot/cpu/s390/sharedRuntime_s390.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2016, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2016, 2019 SAP SE. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * @@ -3409,8 +3409,9 @@ void SharedRuntime::montgomery_multiply(jint *a_ints, jint *b_ints, jint *n_ints // Make very sure we don't use so much space that the stack might // overflow. 512 jints corresponds to an 16384-bit integer and // will use here a total of 8k bytes of stack space. + int divisor = sizeof(unsigned long) * 4; + guarantee(longwords <= 8192 / divisor, "must be"); int total_allocation = longwords * sizeof (unsigned long) * 4; - guarantee(total_allocation <= 8192, "must be"); unsigned long *scratch = (unsigned long *)alloca(total_allocation); // Local scratch arrays @@ -3439,8 +3440,9 @@ void SharedRuntime::montgomery_square(jint *a_ints, jint *n_ints, // Make very sure we don't use so much space that the stack might // overflow. 512 jints corresponds to an 16384-bit integer and // will use here a total of 6k bytes of stack space. + int divisor = sizeof(unsigned long) * 3; + guarantee(longwords <= (8192 / divisor), "must be"); int total_allocation = longwords * sizeof (unsigned long) * 3; - guarantee(total_allocation <= 8192, "must be"); unsigned long *scratch = (unsigned long *)alloca(total_allocation); // Local scratch arrays diff --git a/src/hotspot/cpu/x86/sharedRuntime_x86_64.cpp b/src/hotspot/cpu/x86/sharedRuntime_x86_64.cpp index 768f2dabdd3..a92e7373fc0 100644 --- a/src/hotspot/cpu/x86/sharedRuntime_x86_64.cpp +++ b/src/hotspot/cpu/x86/sharedRuntime_x86_64.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -3714,8 +3714,9 @@ void SharedRuntime::montgomery_multiply(jint *a_ints, jint *b_ints, jint *n_ints // Make very sure we don't use so much space that the stack might // overflow. 512 jints corresponds to an 16384-bit integer and // will use here a total of 8k bytes of stack space. + int divisor = sizeof(julong) * 4; + guarantee(longwords <= 8192 / divisor, "must be"); int total_allocation = longwords * sizeof (julong) * 4; - guarantee(total_allocation <= 8192, "must be"); julong *scratch = (julong *)alloca(total_allocation); // Local scratch arrays @@ -3743,8 +3744,9 @@ void SharedRuntime::montgomery_square(jint *a_ints, jint *n_ints, // Make very sure we don't use so much space that the stack might // overflow. 512 jints corresponds to an 16384-bit integer and // will use here a total of 6k bytes of stack space. + int divisor = sizeof(julong) * 3; + guarantee(longwords <= (8192 / divisor), "must be"); int total_allocation = longwords * sizeof (julong) * 3; - guarantee(total_allocation <= 8192, "must be"); julong *scratch = (julong *)alloca(total_allocation); // Local scratch arrays