RFR: 8u: 8076475: Misuses of strncpy/strncat

Andrew Hughes gnu.andrew at redhat.com
Wed Apr 1 17:54:28 UTC 2020 


On 01/04/2020 11:55, Andrew Haley wrote:
> http://cr.openjdk.java.net/~aph/8076475-8u/
> 
> Original bug: https://bugs.openjdk.java.net/browse/JDK-8076475
> Original patch: http://hg.openjdk.java.net/jdk9/jdk9/hotspot/rev/4cf3113c8f42
> 
> In a couple of places the original patch didn't apply because the code
> being patched was not there yet. Other places required some minor
> adjustments.

Looking at the places where this differs from the OpenJDK 9 version:

* src/share/vm/compiler/compilerOracle.cpp
  - This hunk is missing because JDK-8059847 (double support for
command-line arguments) is absent. I backported this myself as a
pre-requisite for this patch [0], as it seemed trivial enough and avoids
someone missing the strncat change if JDK-8059847 is later backported,
but it's certainly optional.

* src/share/vm/runtime/arguments.cpp
  - The two missing hunks here were handled by a security fix,
JDK-815968, in the Oct 2016 CPU. If we're going to introduce
os::strdup_check_oom (see below), we might want to consider whether to
change the first case (if pos != NULL) to match the JDK-8076475 version.

* src/share/vm/utilities/ostream.cpp
  The missing hunk was added by JDK-8196882: "VS2017 Hotspot Defined
vsnprintf Function Causes C2084 Already Defined Compilation Error"

* src/share/vm/runtime/os.{c,h}pp
  If we're going to add strdup_check_oom, I think this should be done by
backporting JDK-6424123 [1] so it's used consistently throughout the
codebase rather than just the two call sites in this patch. As I've
already backported this, I'm happy to submit this against current 8u-dev
and then you can rebase against this.

> 
> OK, I'll be honest, I'm not completely convinced that this is really a
> suitable patch to be backported to stable 8u. Maybe as a maintainer
> I'll reject it. But I've done it now, so I'd be grateful for a review.
> 

I tend towards including this. The fact that part of it was already
picked up by a security fix suggests it's a useful hardening of this
code and it's been around since 2015, so is pretty well tested.
Similarly, JDK-6224123 dates back to 2014.

[0]
http://icedtea.classpath.org//hg/icedtea8-forest/hotspot?cmd=changeset;node=f8beb13aec9f
[1]
http://icedtea.classpath.org//hg/icedtea8-forest/hotspot?cmd=changeset;node=cfb34db6589e

Thanks,
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

More information about the jdk8u-dev mailing list