RFR: 8306561: Possible out of bounds access in print_pointer_information [v6]
Thomas Obermeier
duke at openjdk.org
Tue Oct 31 17:27:57 UTC 2023
> MallocTracker::print_pointer_information in src/hotspot/share/services/mallocTracker.cpp is called to check the highest pointer address of the reserved region. To do so it aligns the test pointer down to the next 8 Byte boundary and casts this address to class MallocHeader in order to use this classes eye-catcher member _canary for validation. Method looks_valid() dereferences _canary's content. _canary has an offset of 14 bytes relative to the class. Therefore it resides outside the reserved region for the highest pointer address, which causes a segmentation violation.
>
> We would expect the same error also for other platforms than AIX as memory is read, which is not allocated. Interestingly, Linux seems to allow this access for 5 times 4K above the reserved region.
>
> As a solution, looks_valid() should check _canary's address as being invalid, and return false immediately.
Thomas Obermeier has updated the pull request incrementally with two additional commits since the last revision:
- Merge branch 'JDK-8306561' of https://github.com/TOatGithub/jdk into JDK-8306561
- 8306561: test range instead of endpoints before casting
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/16381/files
- new: https://git.openjdk.org/jdk/pull/16381/files/c831830d..60d46df2
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=16381&range=05
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=16381&range=04-05
Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod
Patch: https://git.openjdk.org/jdk/pull/16381.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/16381/head:pull/16381
PR: https://git.openjdk.org/jdk/pull/16381
More information about the hotspot-dev
mailing list