RFR: 8306561: Possible out of bounds access in print_pointer_information [v5]

[Dean Long]

On Fri, 27 Oct 2023 13:57:53 GMT, Thomas Obermeier <duke at openjdk.org> wrote:

>> MallocTracker::print_pointer_information in src/hotspot/share/services/mallocTracker.cpp is called to check the highest pointer address of the reserved region. To do so it aligns the test pointer down to the next 8 Byte boundary and casts this address to class MallocHeader in order to use this classes eye-catcher member _canary for validation. Method looks_valid() dereferences _canary's content. _canary has an offset of 14 bytes relative to the class. Therefore it resides outside the reserved region for the highest pointer address, which causes a segmentation violation.
>> 
>> We would expect the same error also for other platforms than AIX as memory is read, which is not allocated. Interestingly, Linux seems to allow this access for 5 times 4K above the reserved region.
>> 
>> As a solution, looks_valid() should check _canary's address as being invalid, and return false immediately.
>
> Thomas Obermeier has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Update mallocHeader.inline.hpp - revert obsolete copyright change

src/hotspot/share/nmt/mallocTracker.cpp line 215:

> 213:     for (; here >= end; here -= smallest_possible_alignment) {
> 214:       // JDK-8306561: cast to a MallocHeader needs to guarantee it can reside in readable memory
> 215:       if (!os::is_readable_pointer(here) || !os::is_readable_pointer(here + sizeof(MallocHeader) - 1)) {

Would os::is_readable_range be the better choice here?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/16381#discussion_r1375105235