[jdk21u-dev] RFR: 8330611: AES-CTR vector intrinsic may read out of bounds (x86_64, AVX-512)

Charles Connell duke at openjdk.org
Sat Apr 27 15:46:05 UTC 2024 

On Sat, 27 Apr 2024 02:01:19 GMT, Martin Balao <mbalao at openjdk.org> wrote:

>> HI @martinuy, please do the 22 backport first. Also, to me, this seems a quite risky fix to backport right after pushing to head. Could we wait for the October release?
>
>> HI @martinuy, please do the 22 backport first. Also, to me, this seems a quite risky fix to backport right after pushing to head. Could we wait for the October release?
> 
> With the review done for the main line patch and  the testing done for both main line and jdk21u, I think that the risk has been reasonably addressed. There is time until the next release for further testing if it goes in now. The other side of the story is that if the bug conditions are met, a jdk21u JVM will crash with a segmentation fault. While there is a workaround (-XX:-UseAESCTRIntrinsics), the bug does not happen consistently enough and is hard to troubleshoot. @charlesconnell you may want to give some input on how this bug affects you.

Thanks @martinuy. At Hubspot we store most of our data in HBase. We continually replicate HBase's write-ahead-log to S3 as a backup mechanism. We also do full backups daily or weekly. All of this requires pulling all the data out of HBase/Hadoop over Kerberos connections, which we configure to use encryption with cipher suite `AES/CTR/NoPadding`. We see dozens of this crash per day in our write-ahead-log persister tool, although that is mostly harmless to us. More impactfully, we have been forced to run the full backups on aarch64 machines, because they could not complete successfully on x86_84 machines, because of this bug. In other words, given enough AES traffic, this bug is not rare.

I suspect that there are not many other organizations with this same combination of circumstances (lots of data in Hadoop, accessed frequently with Kerberos + `AES/CTR/NoPadding`), but if there are, I imagine they are experiencing the same problems.

-------------

PR Comment: https://git.openjdk.org/jdk21u-dev/pull/531#issuecomment-2080934960

More information about the jdk-updates-dev mailing list