Bug#876068: marked as done (i386 applications using JNI may crash due to Hotspot workaround for Exec Shield)

Debian Bug Tracking System Mon, 17 Apr 2023 09:12:28 -0700

Your message dated Mon, 17 Apr 2023 18:09:01 +0200
with message-id <[email protected]>
and subject line openjdk-7 has been removed from Debian
has caused the Debian Bug report #876068,
regarding i386 applications using JNI may crash due to Hotspot workaround for 
Exec Shield
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
876068: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876068
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: openjdk-8-jre-headless
Version: 8u144-b01-1
Severity: important
Tags: patch

Following the fix for CVE-2017-1000364 (Stack Clash) in the Linux
kernel, it was reported that some applications using JNI on i386 would
crash (bug #865303 and others).

I tracked this down to some questionable code in Hotspot that
allocates a page of writable, executable memory near the limit (lowest
address) of the main thread stack.  This is commented as being a
workaround for JDK-8023956, which seems to be a bug in the Exec Shield
NX emulation patch applied to Red Hat and Ubuntu kernels (RH bug
#996149, which is not public).  I don't know whether that bug was
ever fixed in Exec Shield.

Since Debian has never applied out-of-tree Exec Shield kernel patches,
perhaps it would better to disable this workaround?  I would prefer to
fix this on the kernel side, but even if it does get fixed there is a
security benefit in eliminating a page of memory that is both writable
and executable.

Ben.

--- 
openjdk-8-8u144-b01/debian/patches/hotspot-disable-exec-shield-workaround.patch
+++ 
openjdk-8-8u144-b01/debian/patches/hotspot-disable-exec-shield-workaround.patch
@@ -0,0 +1,15 @@
+# DP: Hotspot: disable Exec Shield workaround (JDK-8023956).
+# DP: This workaround interacts badly with kernel changes to enlarge the stack
+# DP: gap, causing applications using JNI to crash (Debian bug #865303).
+# DP: Debian has never applied the Exec Shield patches.
+--- a/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp
++++ b/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp
+@@ -890,7 +890,7 @@ void os::verify_stack_alignment() {
+  * updates (JDK-8023956).
+  */
+ void os::workaround_expand_exec_shield_cs_limit() {
+-#if defined(IA32) && !defined(ZERO)
++#if 0
+   size_t page_size = os::vm_page_size();
+   /*
+    * Take the highest VA the OS will give us and exec
--- openjdk-8-8u144-b01/debian/rules
+++ openjdk-8-8u144-b01/debian/rules
@@ -380,6 +380,7 @@
        8164293.diff \
        jdk-i18n-pt_BR.diff \
        jdk-java-nio-bits-unligned-aarch64.diff \
+       hotspot-disable-exec-shield-workaround.patch \
 
 #      jdk-derived-font-size.diff \
 # FIXME: update patches
--- END ---

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openjdk-8-jre-headless depends on:
ii  ca-certificates-java  20170531+nmu1
ii  java-common           0.59
ii  libc6                 2.24-17
ii  libcups2              2.2.4-6
ii  libfontconfig1        2.12.3-0.2
ii  libfreetype6          2.8-0.2
ii  libgcc1               1:7.2.0-3
ii  libjpeg62-turbo       1:1.5.2-2
ii  liblcms2-2            2.8-4
ii  libnss3               2:3.32-2
ii  libpcsclite1          1.8.22-1
ii  libstdc++6            7.2.0-3
ii  libx11-6              2:1.6.4-3
ii  libxext6              2:1.3.3-1+b2
ii  libxi6                2:1.7.9-1
ii  libxrender1           1:0.9.10-1
ii  libxtst6              2:1.2.3-1
ii  util-linux            2.29.2-4
ii  zlib1g                1:1.2.8.dfsg-5

openjdk-8-jre-headless recommends no packages.

Versions of packages openjdk-8-jre-headless suggests:
ii  fonts-dejavu-extra    2.37-1
pn  fonts-indic           <none>
pn  fonts-ipafont-gothic  <none>
pn  fonts-ipafont-mincho  <none>
pn  fonts-wqy-microhei    <none>
pn  fonts-wqy-zenhei      <none>
ii  libnss-mdns           0.10-8

-- no debconf information

--- End Message ---

--- Begin Message ---

Version: 7u211-2.6.17-1+rm

openjdk-7 was last released with Debian 8 (jessie) in April 2015
and was removed from the Debian archive afterwards.
It has been superseded by openjdk-8 and newer versions.
See https://bugs.debian.org/928988 for details on the removal.
I'm closing the remaining bug reports now.

Andreas

--- End Message ---

Bug#876068: marked as done (i386 applications using JNI may crash due to Hotspot workaround for Exec Shield)

Reply via email to