Bug 856124 (CVE-2012-4416)
| Summary: | CVE-2012-4416 OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | ahughes, dbhole, djorm, fweimer, jon.vanalten, jvanek, lkundrak, mjw, mmatejov, omajid |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | icedtea6 1.10.10, icedtea6 1.11.5, icedtea7 2.1.3, icedtea7 2.2.3, icedtea7 2.3.3 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-10-26 07:20:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 862579 | ||
|
Description
Jan Lieskovsky
2012-09-11 09:08:42 UTC
Local copy of the reproducer, workaround and further issue occurrence details
from [1]):
=============================================================================
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
public class JvmBug {
public static void main(String[] args) {
int[] a;
int n = 0;
for (int i = 0; i < 100000000; ++i) {
a = new int[10];
for (int f : a)
if (f != 0)
throw new RuntimeException("Array just after allocation: "+ Arrays.toString(a));
Arrays.fill(a, 0);
for (int j = 0; j < a.length; ++j)
a[j] = (n - j)*i;
for (int f : a)
n += f;
}
System.out.println(n);
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Add Arrays.fill(a,0) just after array initialization.
The bug reproduces with the fill or with a zeroing for loop, but not without.
So compiler correctly matches a complete array fill, but the check for uses between the allocation and the fill is faulty.
The CVE identifier of CVE-2012-4416 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/09/11/6 This flaw only affects the Oracle and OpenJDK implementations of Java 7, older versions and the IBM implementation are not affected. After clarification from Mitre: [2] http://www.openwall.com/lists/oss-security/2012/09/11/9 the CVE identifier of CVE-2012-4416 should be used only for Oracle's codebase / Oracle JVM implementation. The same problem present in Java SE 7 as provided by OpenJDK 7 should be referred by another / different CVE id, which is currently pending assignment yet: http://www.openwall.com/lists/oss-security/2012/09/12/4 (In reply to comment #7) > The same problem present in Java SE 7 as provided by OpenJDK 7 should be > referred by another / different CVE id, which is currently pending > assignment yet: > http://www.openwall.com/lists/oss-security/2012/09/12/4 This flaw as it affects OpenJDK is now being tracked by a separate CVE ID, CVE-2012-4420 (bug 856588). Fixed now in Oracle JDK 7u9 and 6u37. It seems Java 6 has this incorrect optimization too, even though the problem was not triggered by the test case. External Reference: http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html (In reply to comment #8) > This flaw as it affects OpenJDK is now being tracked by a separate CVE ID, > CVE-2012-4420 (bug 856588). As Hotspot is component that is part of both Oracle JDK and OpenJDK, the above assignment is duplicate. *** Bug 856588 has been marked as a duplicate of this bug. *** Fix included in IcedTea6 versions 1.10.10 and 1.11.5: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-October/020556.html http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/d9564350faa6/patches/security/20121016/7198606.patch (Patch disables optimization until proper fix is created.) This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1386 https://rhn.redhat.com/errata/RHSA-2012-1386.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1385 https://rhn.redhat.com/errata/RHSA-2012-1385.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1384 https://rhn.redhat.com/errata/RHSA-2012-1384.html Fix included in IcedTea7 versions 2.1.3, 2.2.3 and 2.3.3: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-October/020571.html http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/hotspot/rev/0885feeea95c This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1391 https://rhn.redhat.com/errata/RHSA-2012-1391.html This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1392 https://rhn.redhat.com/errata/RHSA-2012-1392.html |