RFR: 8306561: Possible out of bounds access in print_pointer_information [v4]
Thomas Stuefe
stuefe at openjdk.org
Fri Oct 27 12:51:37 UTC 2023
On Fri, 27 Oct 2023 12:44:49 GMT, Thomas Obermeier <duke at openjdk.org> wrote:
>> MallocTracker::print_pointer_information in src/hotspot/share/services/mallocTracker.cpp is called to check the highest pointer address of the reserved region. To do so it aligns the test pointer down to the next 8 Byte boundary and casts this address to class MallocHeader in order to use this classes eye-catcher member _canary for validation. Method looks_valid() dereferences _canary's content. _canary has an offset of 14 bytes relative to the class. Therefore it resides outside the reserved region for the highest pointer address, which causes a segmentation violation.
>>
>> We would expect the same error also for other platforms than AIX as memory is read, which is not allocated. Interestingly, Linux seems to allow this access for 5 times 4K above the reserved region.
>>
>> As a solution, looks_valid() should check _canary's address as being invalid, and return false immediately.
>
> Thomas Obermeier has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains five additional commits since the last revision:
>
> - Merge remote-tracking branch 'origin/master' into JDK-8306561
> - 8306561: forgot to remove include at revert
> - 8306561: move solution to caller
> - 8306561: copyright and problem listing
> - JDK-8306561: test canary
Okay (if tests are green).
-------------
Marked as reviewed by stuefe (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/16381#pullrequestreview-1701715239
More information about the hotspot-dev
mailing list