Red Hat Bugzilla – Bug 905128
[CRASH] OpenJDK-1.7.0 while using NSS security provider and kerberos
Last modified: 2013-11-21 06:12:37 EST
Created attachment 689075 [details]
In the attempt to boost jre performance (bug#831734), kerberos JAAS is broken.
It causes SIGSEGV when trying to authenticate.
Attached a sample program to reproduce, logs.
Stack: [0x00007f268b227000,0x00007f268b328000], sp=0x00007f268b324b10, free space=1014k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
V [libjvm.so+0x5d9e5f] JNI_CreateJavaVM+0xd40f
C [libj2pkcs11.so+0x6062] Java_sun_security_pkcs11_wrapper_PKCS11_C_1EncryptUpdate+0xd2
Red Hat Enterprise Linux Server release 6.4 Beta (Santiago)
Comment on attachment 689075 [details]
Created attachment 689076 [details]
Created attachment 689077 [details]
Created attachment 689096 [details]
Workaround: Revert to the default java security provider.
Settings of jvm should be the defaults of openjdk settings.
Applications/administrators that wish to boost their performance can actively load security provider of their choice.
Changing the system width configuration of jvm and effecting all applications should have been avoided.
It seems the TCK doesn't really test non-block ciphers throughly. The fix is fairly trivial; just a state that wasn't fully accounted for.
Created attachment 689985 [details]
Don't make an update call in doFinal for non-block ciphers
We have reverted the errata which should make RHEV work again (with the version in 6.3.z/older 6.4 composes).
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release. Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
*** Bug 906325 has been marked as a duplicate of this bug. ***
Created attachment 691121 [details]
Revised patch that checks blockBuffer rather than blockBufferLen
It turns out some TCK tests started failing because there are valid cases with an empty block buffer. So we test for the actual failure case (no blockBuffer at all) rather than trying to be clever.
*** Bug 907090 has been marked as a duplicate of this bug. ***
Replacing the openJdk rpm on a 6.4 host with a 6.5 build might create a lot of none relevant noise.
However if we get a 6.4 (somwhat stable build) we can give it a quick test.
BTW the right way to test it is:
1. install vanilla rhel-XXX
- make sure the new openJdk is installed
2. install ovirt-engine
3. join a domain
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.