524177 – gcj jar manifest parsing segfault with classpath references

Bug 524177 - gcj jar manifest parsing segfault with classpath references

Summary: gcj jar manifest parsing segfault with classpath references

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-09-18 08:53 UTC by Marc Schoenefeld
Modified:	2019-09-29 12:32 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-21 22:50:56 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marc Schoenefeld 2009-09-18 08:53:29 UTC

Created attachment 361611 [details]
Jar file having an ftp classpath entry, segfaulting gcj 

The parsing of classpath references in META-INF/MANIFEST.MF leads to 
(possibly exploitable) segmentation faults, for example with having a 
"Class-Path: ftp://127.0.0.1:8080/willi.jar" entry, as in the attached 
"willi.jar" archive.

[mschoene@mschoene ~]$ valgrind /usr/lib/jvm/java-1.4.2-gcj/jre/bin/java -jar  willi.jar
==4700== Memcheck, a memory error detector.
==4700== Copyright (C) 2002-2006, and GNU GPL'd, by Julian Seward et al.
==4700== Using LibVEX rev 1658, a library for dynamic binary translation.
==4700== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==4700== Using valgrind-3.2.1, a dynamic binary instrumentation framework.
==4700== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al.
==4700== For more details, rerun with: -v
==4700==
==4700== Invalid write of size 1
==4700==    at 0x4006554: memset (mc_replace_strmem.c:479)
==4700==    by 0x73B8D62: (within /usr/lib/libgcj.so.7rh.0.0)
==4700==    by 0x73BDACB: (within /usr/lib/libgcj.so.7rh.0.0)
==4700==    by 0x73BDD62: (within /usr/lib/libgcj.so.7rh.0.0)
==4700==    by 0x73B83E1: (within /usr/lib/libgcj.so.7rh.0.0)
==4700==    by 0x6B404C9: _Jv_InitGC() (in /usr/lib/libgcj.so.7rh.0.0)
==4700==    by 0x6AF471C: _Jv_CreateJavaVM(_Jv_VMInitArgs*) (in /usr/lib/libgcj.so.7rh.0.0)
==4700==    by 0x6AF56DA: _Jv_RunMain(_Jv_VMInitArgs*, java::lang::Class*, char const*, int, char const**, bool) (in /usr/lib/libgcj.so.7rh.0.0)
==4700==    by 0xA17AB1: main (in /usr/lib/libgij.so.7rh.0.0)
==4700==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4700==
==4700== Process terminating with default action of signal 11 (SIGSEGV)
==4700==  Access not within mapped region at address 0x0
==4700==    at 0x4006554: memset (mc_replace_strmem.c:479)
==4700==    by 0x73B8D62: (within /usr/lib/libgcj.so.7rh.0.0)
==4700==    by 0x73BDACB: (within /usr/lib/libgcj.so.7rh.0.0)
==4700==    by 0x73BDD62: (within /usr/lib/libgcj.so.7rh.0.0)
==4700==    by 0x73B83E1: (within /usr/lib/libgcj.so.7rh.0.0)
==4700==    by 0x6B404C9: _Jv_InitGC() (in /usr/lib/libgcj.so.7rh.0.0)
==4700==    by 0x6AF471C: _Jv_CreateJavaVM(_Jv_VMInitArgs*) (in /usr/lib/libgcj.so.7rh.0.0)
==4700==    by 0x6AF56DA: _Jv_RunMain(_Jv_VMInitArgs*, java::lang::Class*, char const*, int, char const**, bool) (in /usr/lib/libgcj.so.7rh.0.0)
==4700==    by 0xA17AB1: main (in /usr/lib/libgij.so.7rh.0.0)
==4700==
==4700== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 20 from 1)
==4700== malloc/free: in use at exit: 697 bytes in 36 blocks.
==4700== malloc/free: 56 allocs, 20 frees, 3,177 bytes allocated.
==4700== For counts of detected errors, rerun with: -v
==4700== searching for pointers to 36 not-freed blocks.
==4700== checked 4,984,360 bytes.
==4700==
==4700== LEAK SUMMARY:
==4700==    definitely lost: 0 bytes in 0 blocks.
==4700==      possibly lost: 0 bytes in 0 blocks.
==4700==    still reachable: 697 bytes in 36 blocks.
==4700==         suppressed: 0 bytes in 0 blocks.
==4700== Reachable blocks (those to which a pointer was found) are not shown.
==4700== To see them, rerun with: --show-reachable=yes
Segmentation fault

0000000: 504b 0304 0000 0000 0000 0100 0100 37e7  PK............7.
0000010: d101 5f00 0000 5f00 0000 1400 0300 4d45  .._..._.......ME
0000020: 5441 2d49 4e46 2f4d 414e 4946 4553 542e  TA-INF/MANIFEST.
0000030: 4d46 4141 414d 616e 6966 6573 742d 5665  MFAAAManifest-Ve
0000040: 7273 696f 6e3a 2031 2e30 0d0a 436c 6173  rsion: 1.0..Clas
0000050: 732d 5061 7468 3a20 6674 703a 2f2f 3132  s-Path: ftp://12
0000060: 372e 302e 302e 313a 3830 3830 2f77 696c  7.0.0.1:8080/wil
0000070: 6c69 2e6a 6172 2020 0d0a 4d61 696e 2d43  li.jar  ..Main-C
0000080: 6c61 7373 3a20 7465 7374 766d 322e 4d61  lass: testvm2.Ma
0000090: 696e 0d0a 504b 0708 37e7 d101 5f00 0000  in..PK..7..._...
00000a0: 5f00 0000 504b 0102 0000 0000 0000 0000  _...PK..........
00000b0: ffff ffff 37e7 d101 5f00 0000 5f00 0000  ....7..._..._...
00000c0: 1400 0f00 0a00 0000 0000 0000 0000 0000  ................
00000d0: 0000 4d45 5441 2d49 4e46 2f4d 414e 4946  ..META-INF/MANIF
00000e0: 4553 542e 4d46 4141 4141 4141 4141 4141  EST.MFAAAAAAAAAA
00000f0: 4141 4141 4141 4141 4141 4141 4141 4150  AAAAAAAAAAAAAAAP
0000100: 4b05 0600 0000 0001 0001 005b 0000 00a4  K..........[....
0000110: 0000 0005 0041 4141 4141                 .....AAAAA

Note You need to log in before you can comment on or make changes to this bug.