Headline
CVE-2022-40433: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
An issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service. Note: Vendor states that this to is Defense in Depth at most due to the nature of the issue and the special circumstances required (server must be running particular code locally, code compiled with an old, old version of javac, etc.).
ADDITIONAL SYSTEM INFORMATION :
OS version:
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal
JDK version we used:
openjdk version “17.0.2” 2022-01-18
OpenJDK Runtime Environment (build 17.0.2+8-86)
OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing)
openjdk version “18” 2022-03-22
OpenJDK Runtime Environment (build 18+36-2087)
OpenJDK 64-Bit Server VM (build 18+36-2087, mixed mode, sharing)
openjdk version “19-ea” 2022-09-20
OpenJDK Runtime Environment (build 19-ea+13-808)
OpenJDK 64-Bit Server VM (build 19-ea+13-808, mixed mode, sharing)
A DESCRIPTION OF THE PROBLEM :
When we run the test in jdk17.0.2, jdk18 and jdk19-ea, all in compiled mode(with "-Xcomp"), it crashed with the following message. But when run the test in mixed mode or interpreted mode(with "-Xint), it passed successfully.
The error message in compiled mode:
jdk17.0.2:
# A fatal error has been detected by the Java Runtime Environment:
# SIGSEGV (0xb) at pc=0x00007f0b86b5a37b, pid=32365, tid=32379
# JRE version: OpenJDK Runtime Environment (17.0.2+8) (build 17.0.2+8-86)
# Java VM: OpenJDK 64-Bit Server VM (17.0.2+8-86, compiled mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, linux-amd64)
# Problematic frame:
# V [libjvm.so+0x52837b] ciMethodBlocks::make_block_at(int)+0x3b
# No core dump will be written. Core dumps have been disabled. To enable core dumping, try “ulimit -c unlimited” before starting Java again
# An error report file with more information is saved as:
# /home/minghai/hs_err_pid32365.log
# Compiler replay data is saved as:
# /home/minghai/replay_pid32365.log
# If you would like to submit a bug report, please visit:
# https://bugreport.java.com/bugreport/crash.jsp
jdk18:
# A fatal error has been detected by the Java Runtime Environment:
# SIGSEGV (0xb) at pc=0x00007f9a003d800b, pid=32250, tid=32263
# JRE version: OpenJDK Runtime Environment (18.0+36) (build 18+36-2087)
# Java VM: OpenJDK 64-Bit Server VM (18+36-2087, compiled mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, linux-amd64)
# Problematic frame:
# V [libjvm.so+0x54b00b] ciTypeFlow::get_block_for(int, ciTypeFlow::JsrSet*, ciTypeFlow::CreateOption)+0x2b
# No core dump will be written. Core dumps have been disabled. To enable core dumping, try “ulimit -c unlimited” before starting Java again
# An error report file with more information is saved as:
# /home/minghai/hs_err_pid32250.log
# Compiler replay data is saved as:
# /home/minghai/replay_pid32250.log
# If you would like to submit a bug report, please visit:
# https://bugreport.java.com/bugreport/crash.jsp
jdk19-ea:
# A fatal error has been detected by the Java Runtime Environment:
# SIGSEGV (0xb) at pc=0x00007f96f291b1fb, pid=32319, tid=32332
# JRE version: OpenJDK Runtime Environment (19.0+13) (build 19-ea+13-808)
# Java VM: OpenJDK 64-Bit Server VM (19-ea+13-808, compiled mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, linux-amd64)
# Problematic frame:
# V [libjvm.so+0x5571fb] ciTypeFlow::get_block_for(int, ciTypeFlow::JsrSet*, ciTypeFlow::CreateOption)+0x2b
# No core dump will be written. Core dumps have been disabled. To enable core dumping, try “ulimit -c unlimited” before starting Java again
# An error report file with more information is saved as:
# /home/minghai/hs_err_pid32319.log
# Compiler replay data is saved as:
# /home/minghai/replay_pid32319.log
# If you would like to submit a bug report, please visit:
# https://bugreport.java.com/bugreport/crash.jsp
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. extract the bug.zip
2. in dictionary "bug", run command:
java -cp ./bugFiles:./util:./junit.jar:./hamcrest.jar:./target/classes:./target/test-classes org.junit.runner.JUnitCore com.alibaba.fastjson.deserializer.issue1463.TestIssue1463
you may add "-Xcomp" or "-Xint" to get different results.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The result should be the same since the program are the same, no matter in compiled mode, mixed mode or interpreted mode.
ACTUAL -
When run in compiled mode(with "-Xcomp"), it crashed. But when run in mixed mode or interpreted mode(with -Xint), it passed successfully.
---------- BEGIN SOURCE ----------
to be attached in bug.zip
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
run the command without -Xcomp or with -Xint
FREQUENCY : always
Related news
Ubuntu Security Notice 6528-1 - It was discovered that the HotSpot VM implementation in OpenJDK did not properly validate bytecode blocks in certain situations. An attacker could possibly use this to cause a denial of service. Carter Kozak discovered that OpenJDK, when compiling with AVX-512 instruction support enabled, could produce code that resulted in memory corruption in certain situations. An attacker targeting applications built in this way could possibly use this to cause a denial of service or execute arbitrary code. In Ubuntu, OpenJDK defaults to not using AVX-512 instructions.
An issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.