MessageUtils JVM crash
Alan Bateman
Alan.Bateman at Sun.COM
Wed Jun 17 08:11:28 UTC 2009
Marc Schoenefeld wrote:
> Hi,
>
> originally I wrote a fuzzing tool to test all native functions in jdk131
> , then gave a list of the results to the Sun representatives at RSA
> conference 2003.
> Unfortunately I never received any reaction to this bug report, nor were
> the bugs fixed. So I put the bugs in a drawer, but used the chance to
> write a fix
> for OpenJDK.
>
> Setting the parameter to null could allow an attacker to conduct denial
> of service attacks:
> -
> http://www.blackhat.com/presentations/win-usa-03/bh-win-03-schoenfeld.pdf
> or
> - http://seclists.org/bugtraq/2003/Sep/0270.html
>
I wasn't at the RSA conference in 2003 so it wasn't me :-) It may be
that the attacks involved calling sun.* APIs directly, something that
you can't do if there is a security manager. The XSLT issue is more
significant and I'm pretty sure that specific issue was fixed a few
years ago.
As regards sun.misc.MessageUtils, I don't see any problem fixing this. I
notice the return from NewStringUTF isn't checked. Unfortunately this
(very old) code is also missing checks for the calls to GetStringChars
and malloc. Also, I assume that the additional \0 isn't needed.
-Alan.
More information about the core-libs-dev
mailing list