Bug 678501

Summary: OpenJDK Incomplete Fix for CVE-2010-4469
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: ahughes, aph, dbhole, Sarainia.Angelsong, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 21:47:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Marc Schoenefeld 2011-02-18 09:25:42 UTC
it looks like the fix for CVE-2010-4469 is incomplete,
and still causes segmentation faults in latest 6u24.
The reproducer class was generated with
java GenOOMCrashClass 1 4000, where 1 the number
of methods and 4000 the number of nested backward JSRs.

Please check the attached reproducer OOMCrashClass4000_1,
 
  gdb --args /usr/java/jre1.6.0_24/bin/java -cp bin OOMCrashClass4000_1
 
it dies with:
  
  Program received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0xb721eb90 (LWP 1239)]
  0xb75bcd2e in GenerateOopMap::copy_state(CellTypeState*, CellTypeState*)
  () from /usr/java/jre1.6.0_24/lib/i386/server/libjvm.so
  (gdb) info r
  eax            0x42000000       1107296256
  ecx            0x80ec3010       -2132004848
  edx            0x47000000       1191182336
  ebx            0x0      0
  esp            0xb721dd2c       0xb721dd2c
  ebp            0xb721dd38       0xb721dd38
  esi            0x2      2
  edi            0x485bf008       1213984776
  eip            0xb75bcd2e       0xb75bcd2e
  <GenerateOopMap::copy_state(CellTypeState*, CellTypeState*)+62>
  eflags         0x210206 [ PF IF RF ID ]
  cs             0x73     115
  ss             0x7b     123
 ds             0x7b     123
 es             0x7b     123
 fs             0x0      0
 gs             0x33     51
 (gdb) disass $pc $pc+1
 Dump of assembler code from 0xb75bcd2e to 0xb75bcd2f:
 0xb75bcd2e <_ZN14GenerateOopMap10copy_stateEP13CellTypeStateS1_+62>:
 mov    %edx,(%edi,%ebx,4)
 End of assembler dump.
 
The involved address are non-null and potentially be pointing to
the yet unverified and untrusted classfile content.