archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-09-18 10:04:42 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow

Browse source 
Check buffer overflow when the jdwp agent full dll name is built

Reviewed-by: cjplummer, sspitsyn
This commit is contained in:
Adam Farley 2019-09-11 23:10:14 +00:00
parent a8ea6b279a
commit d57af04737
2 changed files with 28 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

24
src/jdk.jdwp.agent/unix/native/libjdwp/linker_md.c
View file

@ -34,6 +34,7 @@
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include "util.h"
#include "path_md.h" #include "path_md.h"
#ifdef __APPLE__ #ifdef __APPLE__
@ -45,8 +46,10 @@
static void dll_build_name(char* buffer, size_t buflen, static void dll_build_name(char* buffer, size_t buflen,
const char* paths, const char* fname) { const char* paths, const char* fname) {
char *path, *paths_copy, *next_token; char *path, *paths_copy, *next_token;
*buffer = '\0';
paths_copy = strdup(paths); paths_copy = jvmtiAllocate((int)strlen(paths) + 1);
strcpy(paths_copy, paths);
if (paths_copy == NULL) { if (paths_copy == NULL) {
return; return;
} }
@ -55,15 +58,18 @@ static void dll_build_name(char* buffer, size_t buflen,
path = strtok_r(paths_copy, PATH_SEPARATOR, &next_token); path = strtok_r(paths_copy, PATH_SEPARATOR, &next_token);
while (path != NULL) { while (path != NULL) {
snprintf(buffer, buflen, "%s/lib%s." LIB_SUFFIX, path, fname); size_t result_len = (size_t)snprintf(buffer, buflen, "%s/lib%s." LIB_SUFFIX, path, fname);
if (access(buffer, F_OK) == 0) { if (result_len >= buflen) {
EXIT_ERROR(JVMTI_ERROR_INVALID_LOCATION, "One or more of the library paths supplied to jdwp, "
"likely by sun.boot.library.path, is too long.");
} else if (access(buffer, F_OK) == 0) {
break; break;
} }
*buffer = '\0'; *buffer = '\0';
path = strtok_r(NULL, PATH_SEPARATOR, &next_token); path = strtok_r(NULL, PATH_SEPARATOR, &next_token);
} }
free(paths_copy); jvmtiDeallocate(paths_copy);
} }
/* /*
@ -89,13 +95,11 @@ dbgsysBuildLibName(char *holder, int holderlen, const char *pname,
{ {
const int pnamelen = pname ? strlen(pname) : 0; const int pnamelen = pname ? strlen(pname) : 0;
*holder = '\0';
// Quietly truncate on buffer overflow. Should be an error.
if (pnamelen + (int)strlen(fname) + 10 > holderlen) {
return;
}
if (pnamelen == 0) { if (pnamelen == 0) {
if (pnamelen + (int)strlen(fname) + 10 > holderlen) {
EXIT_ERROR(JVMTI_ERROR_INVALID_LOCATION, "One or more of the library paths supplied to jdwp, "
"likely by sun.boot.library.path, is too long.");
}
(void)snprintf(holder, holderlen, "lib%s." LIB_SUFFIX, fname); (void)snprintf(holder, holderlen, "lib%s." LIB_SUFFIX, fname);
} else { } else {
dll_build_name(holder, holderlen, pname, fname); dll_build_name(holder, holderlen, pname, fname);

24
src/jdk.jdwp.agent/windows/native/libjdwp/linker_md.c
View file

@ -37,13 +37,16 @@
#include "sys.h" #include "sys.h"
#include "util.h"
#include "path_md.h" #include "path_md.h"
static void dll_build_name(char* buffer, size_t buflen, static void dll_build_name(char* buffer, size_t buflen,
const char* paths, const char* fname) { const char* paths, const char* fname) {
char *path, *paths_copy, *next_token; char *path, *paths_copy, *next_token;
*buffer = '\0';
paths_copy = strdup(paths); paths_copy = jvmtiAllocate((int)strlen(paths) + 1);
strcpy(paths_copy, paths);
if (paths_copy == NULL) { if (paths_copy == NULL) {
return; return;
} }
@ -52,15 +55,18 @@ static void dll_build_name(char* buffer, size_t buflen,
path = strtok_s(paths_copy, PATH_SEPARATOR, &next_token); path = strtok_s(paths_copy, PATH_SEPARATOR, &next_token);
while (path != NULL) { while (path != NULL) {
_snprintf(buffer, buflen, "%s\\%s.dll", path, fname); size_t result_len = (size_t)_snprintf(buffer, buflen, "%s\\%s.dll", path, fname);
if (_access(buffer, 0) == 0) { if (result_len >= buflen) {
EXIT_ERROR(JVMTI_ERROR_INVALID_LOCATION, "One or more of the library paths supplied to jdwp, "
"likely by sun.boot.library.path, is too long.");
} else if (_access(buffer, 0) == 0) {
break; break;
} }
*buffer = '\0'; *buffer = '\0';
path = strtok_s(NULL, PATH_SEPARATOR, &next_token); path = strtok_s(NULL, PATH_SEPARATOR, &next_token);
} }
free(paths_copy); jvmtiDeallocate(paths_copy);
} }
/* /*
@ -107,13 +113,11 @@ dbgsysBuildLibName(char *holder, int holderlen, const char *pname, const char *f
{ {
const int pnamelen = pname ? (int)strlen(pname) : 0; const int pnamelen = pname ? (int)strlen(pname) : 0;
*holder = '\0';
/* Quietly truncates on buffer overflow. Should be an error. */
if (pnamelen + (int)strlen(fname) + 10 > holderlen) {
return;
}
if (pnamelen == 0) { if (pnamelen == 0) {
if (pnamelen + (int)strlen(fname) + 10 > holderlen) {
EXIT_ERROR(JVMTI_ERROR_INVALID_LOCATION, "One or more of the library paths supplied to jdwp, "
"likely by sun.boot.library.path, is too long.");
}
sprintf(holder, "%s.dll", fname); sprintf(holder, "%s.dll", fname);
} else { } else {
dll_build_name(holder, holderlen, pname, fname); dll_build_name(holder, holderlen, pname, fname);