Bug ID: 6765546 Wrong sscanf used to parse CompilerOracle command >= 32 characters could lead to crash

6765546 : Wrong sscanf used to parse CompilerOracle command >= 32 characters could lead to crash

Details

Type:	Bug	Submit Date:	2008-10-30
Status:	Closed	Updated Date:	2011-03-22
Project Name:	JDK	Resolved Date:	2011-03-07
Component:	hotspot	OS:	generic
Sub-Component:	compiler	CPU:	generic
Priority:	P3
Resolution:	Fixed
Affected Versions:	hs14,7
Fixed Versions:	hs20

Related Reports

Backport:	JDK-2205081 - Wrong sscanf used to parse CompilerOracle command >= 32 characters could lead to crash
Backport:	JDK-2205815 - Wrong sscanf used to parse CompilerOracle command >= 32 characters could lead to crash
Duplicate:	JDK-6765548 - No checks for unknown command when parsing CompilerOracle command may cause JVM crash/wrong output

Sub Tasks

Description

Wrong sscanf used to parse CompilerOracle command >= 32 characters could lead to crash
when providing command name >=32 chars to CompilerOracle (either using command line or .hotspot_compiler file).

The root cause is in vm\compiler\compilerOracle.cpp, parse_command_name(const char*, int*):

static OracleCommand parse_command_name(const char * line, int* bytes_read) {
  ...
  char command[32];
  int result = sscanf(line, "%32[a-z]%n", command, bytes_read);
  ...
}


sscanf writes <=32 matching characters + null terminator character to char
array that should be long enough. 

When specifying command name equal to or longer than 32 characters [a-z],
sscanf will write null terminator character out of command[32] array bounds,
that produces crash or possible wrong behavior depending on compiler mode.


To reproduce try to do:
 java -XX:CompileCommand=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx,a/b/c.d -version

Comments

EVALUATION

http://hg.openjdk.java.net/jdk7/hotspot-comp/hotspot/rev/781072b12368

2010-12-15

EVALUATION

6765546: Wrong sscanf used to parse CompilerOracle command >= 32 characters could lead to crash
Reviewed-by: kvn, iveresov 

The buffer for a sscanf isn't long enough to include the null
termination and we're missing a check for unknown commands.  Tested
with various command lines.

I also fixed a bug with rejecting signatures including [

2010-12-15

SUGGESTED FIX

Suggested fix:
replace 'char command[32];' with 'char command[33];' or replace '%32' with
'%31' in compilerOracle.cpp.

2008-10-30

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together