Bug ID: 7029048 (launcher) fence the launcher against LD_LIBRARY

7029048 : (launcher) fence the launcher against LD_LIBRARY_PATH

Details

Type:	Bug	Submit Date:	2011-03-18
Status:	Closed	Updated Date:	2011-07-27
Project Name:	JDK	Resolved Date:	2011-05-17
Component:	tools	OS:	generic
Sub-Component:	launcher	CPU:	generic
Priority:	P3
Resolution:	Fixed
Affected Versions:	7
Fixed Versions:	7

Related Reports

Relates:	JDK-7021644 - Consider using a new version name on all jdk7 shared libraries
Relates:	JDK-6367077 - Purge LD_LIBRARY_PATH usage from the launcher

Sub Tasks

Description

With the purging of the LD_LIBRARY_PATH via 6367077, the JDK7 launcher is
vulnerable to the LD_LIBRARY_PATH picked up an ambient java on the path.
For example supposing ant is run with jdk6 to invoke a jdk7 exe say javac
then the LD_LIBRARY_PATH settings in the parent will be available to the
child. Due to the way the Solaris rtld works the libraries on the LLP
will take preceded over the libraries in jdk7, thus both libraries 
could exist in the process address space, thus this will lead to 
bizarre and unpredictable error conditions. See 6913237.
Though we are planning on Release noting this, the launcher must take
a defensive approach.
Ideally yes, 7021644 would be the right/ideal approach, but there seems
to be some issues with implementing that.

I think once the drive/path is on the LLP, the system will hit it
with stat(2), access(2), open(2) and mmap(2) calls on it. So what we
are doing here is adding one more stat call, more than likely it
will be lost in translation, considering the fact that rt.jar needs
to be loaded.

Comments

EVALUATION

It is not clear what the use case of this is, and how widespread, regardless
it would be better to take a defensive approach and have the launcher test the LD_LIBRARY_PATH values (and its variants LLP32/LLP64), for the existence of 
libjvm.so, if positive then cause the launcher to set the environment variable
for the intended JRE and re-exec.

2011-03-18

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together