Bug 856124 (CVE-2012-4416) - CVE-2012-4416 OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606)
Summary: CVE-2012-4416 OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 71...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-4416
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: CVE-2012-4420 (view as bug list)
Depends On:
Blocks: 862579
TreeView+ depends on / blocked
 
Reported: 2012-09-11 09:08 UTC by Jan Lieskovsky
Modified: 2021-02-23 13:53 UTC (History)
10 users (show)

Fixed In Version: icedtea6 1.10.10, icedtea6 1.11.5, icedtea7 2.1.3, icedtea7 2.2.3, icedtea7 2.3.3
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-10-26 07:20:46 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1384 0 normal SHIPPED_LIVE Critical: java-1.6.0-openjdk security update 2012-10-17 20:07:50 UTC
Red Hat Product Errata RHSA-2012:1385 0 normal SHIPPED_LIVE Important: java-1.6.0-openjdk security update 2012-10-17 20:06:54 UTC
Red Hat Product Errata RHSA-2012:1386 0 normal SHIPPED_LIVE Important: java-1.7.0-openjdk security update 2012-11-14 00:28:44 UTC
Red Hat Product Errata RHSA-2012:1391 0 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2012-10-18 20:44:09 UTC
Red Hat Product Errata RHSA-2012:1392 0 normal SHIPPED_LIVE Critical: java-1.6.0-sun security update 2012-10-18 20:54:24 UTC

Description Jan Lieskovsky 2012-09-11 09:08:42 UTC
An information disclosure flaw was found in the way Java Virtual Machine (JVM) implementation of Oracle Java SE 7 used to initialize integer arrays (they have had nonzero elements right after the allocation in certain circumstances). An attacker could use this flaw to obtain potentially sensitive information.

References (including the reproducer):
[1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7196857

Comment 1 Jan Lieskovsky 2012-09-11 09:12:03 UTC
Local copy of the reproducer, workaround and further issue occurrence details 
from [1]):
=============================================================================

This bug can be reproduced always.

---------- BEGIN SOURCE ----------
public class JvmBug {
public static void main(String[] args) {
        int[] a;
        int n = 0;
        for (int i = 0; i < 100000000; ++i) {
            a = new int[10];
            for (int f : a)
                if (f != 0)
                    throw new RuntimeException("Array just after allocation: "+  Arrays.toString(a));
            Arrays.fill(a, 0);
            for (int j = 0; j < a.length; ++j)
                a[j] = (n - j)*i;
            for (int f : a)
                n += f;
        }
        System.out.println(n);
    }
}
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Add Arrays.fill(a,0) just after array initialization.

The bug reproduces with the fill or with a zeroing for loop, but not without.

So compiler correctly matches a complete array fill, but the check for uses between the allocation and the fill is faulty.

Comment 2 Jan Lieskovsky 2012-09-11 09:24:20 UTC
CVE Request:
http://www.openwall.com/lists/oss-security/2012/09/11/1

Comment 5 Jan Lieskovsky 2012-09-11 17:37:28 UTC
The CVE identifier of CVE-2012-4416 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2012/09/11/6

Comment 6 David Jorm 2012-09-12 10:30:21 UTC
This flaw only affects the Oracle and OpenJDK implementations of Java 7, older versions and the IBM implementation are not affected.

Comment 7 Jan Lieskovsky 2012-09-12 11:03:10 UTC
After clarification from Mitre:
[2] http://www.openwall.com/lists/oss-security/2012/09/11/9

the CVE identifier of CVE-2012-4416 should be used only for Oracle's codebase / Oracle JVM implementation.

The same problem present in Java SE 7 as provided by OpenJDK 7 should be referred by another / different CVE id, which is currently pending assignment yet:
http://www.openwall.com/lists/oss-security/2012/09/12/4

Comment 8 Jan Lieskovsky 2012-09-12 11:21:38 UTC
(In reply to comment #7)
> The same problem present in Java SE 7 as provided by OpenJDK 7 should be
> referred by another / different CVE id, which is currently pending
> assignment yet:
> http://www.openwall.com/lists/oss-security/2012/09/12/4

This flaw as it affects OpenJDK is now being tracked by a separate CVE ID, CVE-2012-4420 (bug 856588).

Comment 9 Tomas Hoger 2012-10-17 07:40:13 UTC
Fixed now in Oracle JDK 7u9 and 6u37.  It seems Java 6 has this incorrect optimization too, even though the problem was not triggered by the test case.

External Reference:

http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html

Comment 10 Tomas Hoger 2012-10-17 07:54:22 UTC
(In reply to comment #8)

> This flaw as it affects OpenJDK is now being tracked by a separate CVE ID,
> CVE-2012-4420 (bug 856588).

As Hotspot is component that is part of both Oracle JDK and OpenJDK, the above assignment is duplicate.

Comment 11 Tomas Hoger 2012-10-17 07:54:50 UTC
*** Bug 856588 has been marked as a duplicate of this bug. ***

Comment 12 Tomas Hoger 2012-10-17 07:58:40 UTC
Fix included in IcedTea6 versions 1.10.10 and 1.11.5:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-October/020556.html
http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/d9564350faa6/patches/security/20121016/7198606.patch

(Patch disables optimization until proper fix is created.)

Comment 13 errata-xmlrpc 2012-10-17 16:10:30 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1386 https://rhn.redhat.com/errata/RHSA-2012-1386.html

Comment 14 errata-xmlrpc 2012-10-17 16:10:45 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1385 https://rhn.redhat.com/errata/RHSA-2012-1385.html

Comment 15 errata-xmlrpc 2012-10-17 16:11:31 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1384 https://rhn.redhat.com/errata/RHSA-2012-1384.html

Comment 17 errata-xmlrpc 2012-10-18 16:45:43 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1391 https://rhn.redhat.com/errata/RHSA-2012-1391.html

Comment 18 errata-xmlrpc 2012-10-18 16:56:38 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1392 https://rhn.redhat.com/errata/RHSA-2012-1392.html


Note You need to log in before you can comment on or make changes to this bug.