RFR 8216597: SIGBUS in Java_sun_security_pkcs11_wrapper_PKCS11_getNativeKeyInfo after JDK-6913047
Martin Balao
mbalao at redhat.com
Mon Jan 14 18:49:13 UTC 2019
Hi,
After integrating JDK-6913047 [0] [1], a bug affecting Solaris SPARC was
found. See JDK-8216597 [2] for further details.
This bug has been likely caused by an unaligned memory access.
jdk-submit repo tests passed before integrating so it was not noticed.
There are a few direct memory accesses when loading attribute values
(obtained from the 1st query) to the info array buffer, pointed by
nativeKeyInfoArrayRawCkAttributesPtr:
(*(CK_ATTRIBUTE_PTR)nativeKeyInfoArrayRawCkAttributesPtr).type =
(ckpAttributes+i)->type;
(*(CK_ATTRIBUTE_PTR)nativeKeyInfoArrayRawCkAttributesPtr).ulValueLen =
(ckpAttributes+i)->ulValueLen;
(*(CK_ATTRIBUTE_PTR)nativeKeyInfoArrayRawCkAttributesPtr).pValue =
nativeKeyInfoArrayRawDataPtr;
(*(CK_ATTRIBUTE_PTR)nativeKeyInfoArrayRawCkAttributesPtr).pValue = 0;
(*(CK_ATTRIBUTE_PTR)nativeKeyInfoArrayRawCkAttributesPtr).type =
CKA_NETSCAPE_DB;
There is also a direct read access:
*(CK_BBOOL*)(((CK_ATTRIBUTE_PTR)(((CK_ATTRIBUTE_PTR)nativeKeyInfoArrayRawCkAttributes)+sensitiveAttributePosition))->pValue
Whether or not these are 64-bit aligned depends on the value returned by
GetByteArrayElements: if the buffer is not 8-bytes aligned (but 4),
unaligned accesses would occur. This is unlikely though. Adding
sizeof(unsigned long) to nativeKeyInfoArrayRawCkAttributesPtr first
value should not cause issues because 1) sizeof(unsigned long) is 8 [3]
and 2) CK_ATTRIBUTE alignment is 8 (larger member is a pointer).
Looks to me that the problem is caused when reading the CK_BBOOL value.
This is a pointer to the data side of the buffer and there are no
alignment guarantees there at all: data is compacted (to save space).
I cannot confirm because I'm unable to reproduce in my environment.
However, and under the described hypothesis, I propose this patch:
* http://cr.openjdk.java.net/~mbalao/webrevs/8216597/8216597.webrev.00/
* http://cr.openjdk.java.net/~mbalao/webrevs/8216597/8216597.webrev.00.zip
Can someone try it?
In case it fails again, I'd be grateful if someone can dump all the
SPARC bytes of Java_sun_security_pkcs11_wrapper_PKCS11_getNativeKeyInfo
function so I can see exactly what the instruction at 0x2e4 offset is
(for the build without this patch).
@David Holmes: even though wrappedKeySizeWrappedKeyArrayPtr may have an
unaligned value, looks to me that it's not directly used to access
memory but used through memcpy.
Thanks,
Martin.-
--
[0] - https://bugs.openjdk.java.net/browse/JDK-6913047
[1] - http://hg.openjdk.java.net/jdk/jdk/rev/5170dc2bcf64
[2] - https://bugs.openjdk.java.net/browse/JDK-8216597
[3] -
https://docs.oracle.com/cd/E18752_01/html/817-6223/chp-typeopexpr-2.html
More information about the security-dev
mailing list