Security fixes in b19 - Re: hg: jdk6/jdk6/jdk: 23 new changesets

Andrew John Hughes ahughes at redhat.com
Tue Apr 6 18:14:50 PDT 2010 

On 7 April 2010 00:13, Joe Darcy <joe.darcy at oracle.com> wrote:
> Sean,
>
> Please have a look at this fix proposed by Andrew to address a crash in rmid
> in OpenJDK 6.  Looking at the changes to SharedSecrets, your fix for 6633872
> "Policy/PolicyFile leak dynamic ProtectionDomains." when applied to OpenJDK
> 6 looks like the proximal cause of the crash.
>

Just to go into a little more detail on what I said below.  Each
existing accessor in that class does an explicit class initialisation
beforehand to protect against the null pointer exception which may
occur if the class has not been initialised and the reference set.
Looking at the new addition in context, it is a clear odd-one-out and
would have benefited from being simply copied from one of the
existing accessors rather than written afresh.

Perhaps the reason this slipped through the net is that it performs
fine on OpenJDK7 (and may thus also do so on the proprietary JDKs).
It's currently a matter of luck as to which class gets initialised
first.  Applying the fix below
ensure the dependent class is initialised explicitly.


> Thanks,
>
> -Joe
>
> On 04/06/10 01:34 PM, Andrew John Hughes wrote:
>
> On 6 April 2010 18:08, Joe Darcy <joe.darcy at oracle.com> wrote:
>
>
> Andrew John Hughes wrote:
>
>
> On 6 April 2010 17:34, Joe Darcy <joe.darcy at oracle.com> wrote:
>
>
>
> Andrew John Hughes wrote:
>
>
>
> On 31 March 2010 00:52, Andrew John Hughes <ahughes at redhat.com> wrote:
>
>
>
>
> On 31 March 2010 00:46, Joe Darcy <joe.darcy at oracle.com> wrote:
>
>
>
>
> The latest round of security fixes are now in the OpenJDK 6 master
> repositories.
>
>
>
>
>
> And IcedTea6 1.6, 1.7, 1.8, HEAD and IcedTea7 :-)
>
>
>
>
>
> Joe, where are the fixes for the HotSpot tree?  See top of
> http://hg.openjdk.java.net/icedtea/jdk7/hotspot
>
>
>
>
>
> This time around, all the security fixes were in the jdk repository.
>
> -Joe
>
>
>
>
> Err... no they weren't...
>
> 6626217: Loader-constraint table allows arrays instead of only the
> base-classes (CVE-2010-0082)
> 6892265: System.arraycopy unable to reference elements beyond
> Integer.MAX_VALUE bytes (CVE-2010-0093)
> 6894807: No ClassCastException for HashAttributeSet constructors if
> run with -Xcomp (CVE-2010-0845)
>
> and
>
> 6932480: Crash in CompilerThread/Parser. Unloaded array klass?
>
> due to a breakage caused by one of the above.
>
>
>
> Hmm, let me check into that...
>
> -Joe
>
>
>
> There's also a fix missing that we had to apply locally in IcedTea6.
> With current OpenJDK6 hg, rmid crashes:
>
> $ /home/andrew/build/icedtea6-hg/bin/rmid
> Activation.main: an exception occurred: java.lang.NullPointerException
> java.lang.NullPointerException
> 	at sun.security.provider.PolicyFile$PolicyInfo.<init>(PolicyFile.java:2491)
> 	at sun.security.provider.PolicyFile.init(PolicyFile.java:468)
> 	at sun.security.provider.PolicyFile.<init>(PolicyFile.java:327)
> 	at java.security.Policy.getPolicyNoCheck(Policy.java:189)
> 	at java.security.Policy.getPolicy(Policy.java:152)
> 	at sun.rmi.server.Activation$DefaultExecPolicy$1.run(Activation.java:1823)
> 	at sun.rmi.server.Activation$DefaultExecPolicy$1.run(Activation.java:1821)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at
> sun.rmi.server.Activation$DefaultExecPolicy.checkConfiguration(Activation.java:1820)
>
> The fix is simple:
>
> diff -r fd831ae629ff src/share/classes/sun/misc/SharedSecrets.java
> --- a/src/share/classes/sun/misc/SharedSecrets.java	Tue Apr 06
> 11:57:39 2010 +0100
> +++ b/src/share/classes/sun/misc/SharedSecrets.java	Tue Apr 06
> 21:30:03 2010 +0100
> @@ -29,6 +29,7 @@
>  import java.io.Console;
>  import java.io.File;
>  import java.io.FileDescriptor;
> +import java.security.ProtectionDomain;
>
>  /** A repository of "shared secrets", which are a mechanism for
>      calling implementation-private methods in another package without
> @@ -118,6 +119,9 @@
>
>      public static JavaSecurityProtectionDomainAccess
>          getJavaSecurityProtectionDomainAccess() {
> -            return javaSecurityProtectionDomainAccess;
> +        if (javaSecurityProtectionDomainAccess == null)
> +            unsafe.ensureClassInitialized(ProtectionDomain.class);
> +
> +        return javaSecurityProtectionDomainAccess;
>      }
>  }
>
> This ensures the class is initialized, making that SharedSecrets
> accessor like all the others.
>
> Can I have a bug ID to push this?
>
>



-- 
Andrew :-)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net

PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

More information about the jdk6-dev mailing list