On 27/03/2014 18:08, Volker Simonis wrote:
Hi,
a security audit for the PPC64/AIX port revealed an unsecure useage of
'strcpy' in Java_sun_tools_attach_AixVirtualMachine_connect(). Because
the same coding is also used in the Linux and BSD implementations, the
following change fixes them all together:
http://cr.openjdk.java.net/~simonis/webrevs/8038233/
https://bugs.openjdk.java.net/browse/JDK-8038233
Compiled and tested (with the com/sun/jdi, com/sun/tools/attach,
com/sun/management and sun/management JTreg tests) on Linux, MacOS X
and AIX.
Please notice that this fix is also intended for backporting tu 8u.
As we now have 3 implementations using socket pairs then there might be
an opportunity to consolidate the implementations, not for this patch of
course.
Your changes looks okay and it's good to memset the sockaddr_un
structure. As regards the issue is a concern or not then it's important
to note thaht the Attach API is in tools.jar, it's not in a JRE build.
Also an attach requires a Permission check if running with a security
manager and I likely vert rare for tools to do this. Also to cause a
problem then it would require the temporary directory to be unusually long.
-Alan.
