Ubuntu
openjdk-6 package

compiled with -fno-stack-protector and -U_FORTIFY_SOURCE

Bug #330713 reported by Kees Cook
256
Affects Status Importance Assigned to Milestone
openjdk-6 (Ubuntu)
Fix Released
Medium
Matthias Klose
Ubuntu karmic-alpha-6

Bug Description

The package should build with security protections enabled.

See original description

Related branches

lp:ubuntu/natty/openjdk-6
Kees Cook (kees)
Changed in openjdk-6:
assignee: nobody → doko
importance: Undecided → Medium
milestone: none → jaunty-alpha-6
status: New → Confirmed
Revision history for this message
Matthias Klose (doko) wrote :

please do a test build on all architectures including community ports and report back about regressions/progressions.

Changed in openjdk-6:
assignee: doko → kees
importance: Medium → Wishlist
status: Confirmed → Incomplete
Kees Cook (kees)
Changed in openjdk-6:
importance: Wishlist → Medium
status: Incomplete → In Progress
Kees Cook (kees)
Changed in openjdk-6:
status: In Progress → Triaged
Revision history for this message
Kees Cook (kees) wrote :

Report on test output for all architectures. I think the differences are very minimal, and I would like to get the stack and fortify options back to the Ubuntu defaults.

Changed in openjdk-6:
assignee: kees → doko
milestone: jaunty-alpha-6 → ubuntu-9.04-beta
status: Triaged → In Progress
Revision history for this message
Kees Cook (kees) wrote :

Patch to reenable protections...

Revision history for this message
Matthias Klose (doko) wrote :

> I think the differences are very minimal, and I would like to get the stack
> and fortify options back to the Ubuntu defaults.

these are regressions. I don't think regressions are minimal.

Changed in openjdk-6 (Ubuntu):
assignee: doko → nobody
status: In Progress → New
Revision history for this message
Matthias Klose (doko) wrote :

proposing to unset the milestone until the regressions are fixed.

Kees Cook (kees)
Changed in openjdk-6 (Ubuntu):
assignee: nobody → kees
milestone: ubuntu-9.04-beta → later
status: New → Triaged
Revision history for this message
Matthias Klose (doko) wrote :

the regressions with openjdk-6-6b16~pre1 on i386 are:

FAILED: com/sun/jdi/BadHandshakeTest.java
FAILED: javax/management/remote/mandatory/notif/NotificationBufferDeadlockTest.java
FAILED: sun/jvmstat/monitor/MonitoredVm/MonitorVmStartTerminate.sh

Kees Cook (kees)
Changed in openjdk-6 (Ubuntu):
assignee: Kees Cook (kees) → nobody
milestone: later → ubuntu-9.10-beta
Kees Cook (kees)
description: updated
description: updated
Kees Cook (kees)
Changed in openjdk-6 (Ubuntu):
milestone: ubuntu-9.10-beta → karmic-alpha-6
assignee: nobody → Matthias Klose (doko)
Kees Cook (kees)
Changed in openjdk-6 (Ubuntu):
milestone: karmic-alpha-6 → ubuntu-9.10-beta
Revision history for this message
Kees Cook (kees) wrote :

Updated patch...

Revision history for this message
Kees Cook (kees) wrote :

javax/management/remote/mandatory/notif/NotificationBufferDeadlockTest.java fails with stock local version too:

Testing protocol jmxmp
TEST FAILED: GOT EXCEPTION:
java.security.AccessControlException: access denied (javax.management.MBeanTrustPermission register)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:342)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:585)
        at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.checkMBeanTrustPermission(DefaultMBeanServerInterceptor.java:1868)
        at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(DefaultMBeanServerInterceptor.java:328)
        at com.sun.jmx.mbeanserver.JmxMBeanServer.registerMBean(JmxMBeanServer.java:516)
        at NotificationBufferDeadlockTest.test(NotificationBufferDeadlockTest.java:116)
        at NotificationBufferDeadlockTest.main(NotificationBufferDeadlockTest.java:98)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at com.sun.javatest.regtest.MainAction$SameVMThread.run(MainAction.java:595)
        at java.lang.Thread.run(Thread.java:636)

Revision history for this message
Kees Cook (kees) wrote :

sun/jvmstat/monitor/MonitoredVm/MonitorVmStartTerminate.sh did not fail in current build tests.

Revision history for this message
Kees Cook (kees) wrote :
Download full text (7.4 KiB)

com/sun/jdi/BadHandshakeTest.java is a "real" problem, though:

*** buffer overflow detected ***: /usr/lib/jvm/java-6-openjdk/jre/bin/java terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x40)[0xf7e99a90]
/lib/libc.so.6[0xf7e98aa0]
/lib/libc.so.6[0xf7e97dca]
/usr/lib/jvm/java-6-openjdk/jre/lib/i386/libdt_socket.so[0xf70f6eb7]
/usr/lib/jvm/java-6-openjdk/jre/lib/i386/libdt_socket.so[0xf70f7066]
/usr/lib/jvm/java-6-openjdk/jre/lib/i386/libjdwp.so[0xf7128357]
/usr/lib/jvm/java-6-openjdk/jre/lib/i386/server/libjvm.so[0xf760af14]
/usr/lib/jvm/java-6-openjdk/jre/lib/i386/server/libjvm.so[0xf760affc]
/usr/lib/jvm/java-6-openjdk/jre/lib/i386/server/libjvm.so[0xf779c2cc]
/usr/lib/jvm/java-6-openjdk/jre/lib/i386/server/libjvm.so[0xf779c38a]
/usr/lib/jvm/java-6-openjdk/jre/lib/i386/server/libjvm.so[0xf76c0931]
/lib/libpthread.so.0[0xf7f20680]
/lib/libc.so.6(clone+0x5e)[0xf7e84b4e]
======= Memory map: ========
08048000-08051000 r-xp 00000000 fc:1d 12097 /usr/lib/jvm/java-6-openjdk/jre/bin/java
08051000-08052000 r--p 00008000 fc:1d 12097 /usr/lib/jvm/java-6-openjdk/jre/bin/java
08052000-08053000 rw-p 00009000 fc:1d 12097 /usr/lib/jvm/java-6-openjdk/jre/bin/java
08484000-0854e000 rw-p 00000000 00:00 0 [heap]
ab494000-ab4be000 r-xp 00000000 fc:1d 65590 /lib/libgcc_s.so.1
ab4be000-ab4bf000 r--p 00029000 fc:1d 65590 /lib/libgcc_s.so.1
ab4bf000-ab4c0000 rw-p 0002a000 fc:1d 65590 /lib/libgcc_s.so.1
ab4c0000-ab4c3000 ---p 00000000 00:00 0
ab4c3000-ab510000 rw-p 00000000 00:00 0
ab510000-ab513000 ---p 00000000 00:00 0
ab513000-ab560000 rw-p 00000000 00:00 0
ab560000-ab563000 ---p 00000000 00:00 0
ab563000-ab5b0000 rw-p 00000000 00:00 0
ab5b0000-ab5b3000 ---p 00000000 00:00 0
ab5b3000-ab600000 rw-p 00000000 00:00 0
ab600000-ab621000 rw-p 00000000 00:00 0
ab621000-ab700000 ---p 00000000 00:00 0
ab720000-ab723000 ---p 00000000 00:00 0
ab723000-ab770000 rw-p 00000000 00:00 0
ab770000-ab771000 ---p 00000000 00:00 0
ab771000-ab823000 rw-p 00000000 00:00 0
ab823000-ab9b7000 r--s 038e2000 fc:1d 12095 /usr/lib/jvm/java-6-openjdk/jre/lib/rt.jar
ab9b7000-ab9b8000 ---p 00000000 00:00 0
ab9b8000-aba37000 rw-p 00000000 00:00 0
aba37000-aba38000 ---p 00000000 00:00 0
aba38000-abab7000 rw-p 00000000 00:00 0
abab7000-abab8000 ---p 00000000 00:00 0
abab8000-abb37000 rw-p 00000000 00:00 0
abb37000-abb38000 ---p 00000000 00:00 0
abb38000-abbb7000 rw-p 00000000 00:00 0
abbb7000-abbbf000 rwxp 00000000 00:00 0
abbbf000-abbf7000 rwxp 00000000 00:00 0
abbf7000-abc2f000 rwxp 00000000 00:00 0
abc2f000-abdbf000 rwxp 00000000 00:00 0
abdbf000-abdc7000 rwxp 00000000 00:00 0
abdc7000-abdff000 rwxp 00000000 00:00 0
abdff000-abe37000 rwxp 00000000 00:00 0
abe37000-abfc6000 rwxp 00000000 00:00 0
abfc6000-abfcd000 rwxp 00000000 00:00 0
abfcd000-abfff000 rwxp 00000000 00:00 0
abfff000-ad000000 rwxp 00000000 00:00 0
ad000000-b4000000 rwxp 00000000 00:00 0
b4000000-bae10000 rwxp 00000000 00:00 0
bae10000-ece40000...

Read more...

Revision history for this message
Kees Cook (kees) wrote :

Given this is a singular specific bug (not a java-wide problem), I'd like to push to get these options enabled for Feature Freeze, along with bug 409736.

Revision history for this message
Kees Cook (kees) wrote :

Bug 419018 filed and solved.

Changed in openjdk-6 (Ubuntu):
milestone: ubuntu-9.10-beta → karmic-alpha-6
Revision history for this message
Kees Cook (kees) wrote :

Current testsuite differences between 6b16-1.6~pre1-0ubuntu1 and my most recent build with fixes for 330713, 409736, and 419018 seems to introduce one progression and no regressions:

-FAILED: sun/security/ssl/javax/net/ssl/NewAPIs/SessionCacheSizeTests.java
+Passed: sun/security/ssl/javax/net/ssl/NewAPIs/SessionCacheSizeTests.java

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-6 - 6b16-1.6~pre2-0ubuntu1

---------------
openjdk-6 (6b16-1.6~pre2-0ubuntu1) karmic; urgency=low

  * Update IcedTea from the 1.6 release branch:
    - Fix buffer overflow in debugger's socket handler (Kees Cook).
      https://bugs.openjdk.java.net/show_bug.cgi?id=100103. LP: #409736.
    - plugin fixes.
  * Move the pulseaudio recommendation to a suggestion, don't build-depend
    on pulseaudio.
  * Build for armv6 (on armel).

  [ Kees Cook ]
  * debian/rules: Re-enable fortification and stack protector
    (LP: #330713).
  * Adding stack markings to the x86 assembly for not using executable
    stack. LP: #419018.

 -- Matthias Klose <email address hidden> Fri, 28 Aug 2009 18:51:34 +0200

Changed in openjdk-6 (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.