Bug 678501 - OpenJDK Incomplete Fix for CVE-2010-4469
Summary: OpenJDK Incomplete Fix for CVE-2010-4469
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-18 09:25 UTC by Marc Schoenefeld
Modified: 2021-10-19 21:47 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2021-10-19 21:47:26 UTC
Embargoed:

Attachments (Terms of Use)

Description Marc Schoenefeld 2011-02-18 09:25:42 UTC 
it looks like the fix for CVE-2010-4469 is incomplete,
and still causes segmentation faults in latest 6u24.
The reproducer class was generated with
java GenOOMCrashClass 1 4000, where 1 the number
of methods and 4000 the number of nested backward JSRs.

Please check the attached reproducer OOMCrashClass4000_1,
 
  gdb --args /usr/java/jre1.6.0_24/bin/java -cp bin OOMCrashClass4000_1
 
it dies with:
  
  Program received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0xb721eb90 (LWP 1239)]
  0xb75bcd2e in GenerateOopMap::copy_state(CellTypeState*, CellTypeState*)
  () from /usr/java/jre1.6.0_24/lib/i386/server/libjvm.so
  (gdb) info r
  eax            0x42000000       1107296256
  ecx            0x80ec3010       -2132004848
  edx            0x47000000       1191182336
  ebx            0x0      0
  esp            0xb721dd2c       0xb721dd2c
  ebp            0xb721dd38       0xb721dd38
  esi            0x2      2
  edi            0x485bf008       1213984776
  eip            0xb75bcd2e       0xb75bcd2e
  <GenerateOopMap::copy_state(CellTypeState*, CellTypeState*)+62>
  eflags         0x210206 [ PF IF RF ID ]
  cs             0x73     115
  ss             0x7b     123
 ds             0x7b     123
 es             0x7b     123
 fs             0x0      0
 gs             0x33     51
 (gdb) disass $pc $pc+1
 Dump of assembler code from 0xb75bcd2e to 0xb75bcd2f:
 0xb75bcd2e <_ZN14GenerateOopMap10copy_stateEP13CellTypeStateS1_+62>:
 mov    %edx,(%edi,%ebx,4)
 End of assembler dump.
 
The involved address are non-null and potentially be pointing to
the yet unverified and untrusted classfile content.
Note You need to log in before you can comment on or make changes to this bug.