United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-6837842 : JNI_CreateJavaVM crashes under impersonation

Details
Type:
Bug
Submit Date:
2009-05-06
Status:
Closed
Updated Date:
2012-10-08
Project Name:
JDK
Resolved Date:
2010-05-04
Component:
hotspot
OS:
windows_xp
Sub-Component:
runtime
CPU:
x86
Priority:
P3
Resolution:
Fixed
Affected Versions:
6u10,6u13
Fixed Versions:
6u20-rev (b05)

Related Reports
Backport:
Backport:
Backport:
Backport:
Backport:
Backport:
Backport:
Backport:

Sub Tasks

Description
FULL PRODUCT VERSION :
java version "1.6.0_13"
Java(TM) SE Runtime Environment (build 1.6.0_13-b03)
Java HotSpot(TM) Client VM (build 11.3-b02, mixed mode)


FULL OS VERSION :
Microsoft Windows XP [Version 5.1.2600]
(can be also reproduced on Microsoft Windows 2000)

A DESCRIPTION OF THE PROBLEM :
JNI_CreateJavaVM started crashing when run under the impersonation on Windows in latest versions of the JDK. It was working fine in version 1.6.0_01 and it was crashing in version 1.6.0_04 and is still crashing in the latest 1.6.0_13 version.
It seems that there was a change in the implementation of JNI_CreateJavaVM between versions 1.6.0_01 and 1.6.0_04 that causes the crash.

THE PROBLEM WAS REPRODUCIBLE WITH -Xint FLAG: Did not try

THE PROBLEM WAS REPRODUCIBLE WITH -server FLAG: Did not try

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile the C++ code below.
Run the generated executable with the following command line arguments:

exe_name.exe path_to_jvm.dll username domain password

where:
path_to_jvm.dll is a full path to the jvm.dll
username is the name of the user
domain is the name of the user domain
password is the user password in the domain

EXPECTED VERSUS ACTUAL BEHAVIOR :
If jvm.dll from version 1.6.0_01 is specified as an argument, the program outputs "Successfully created JVM". If jvm.dll from version 1.6.0_13 is used, the program crashes in the call to JNI_CreateJavaVM.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
First-chance exception at 0x7c9136be in JavaImpersonation.exe: 0xC0000005: Access violation reading location 0x00000001.
Unhandled exception at 0x7c9136be in JavaImpersonation.exe: 0xC0000005: Access violation reading location 0x00000001.

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
#include <tchar.h>
#include <stdio.h>
#include <jni.h>
#include <windows.h>

typedef jint (JNICALL *JNI_CREATEJAVAVM)(JavaVM **, JNIEnv **, void *);

JNI_CREATEJAVAVM jni_JNI_CreateJavaVM = NULL;
//
// USAGE:
// name_of_exe.exe path_to_jvm username domain password
//
int _tmain(int argc, _TCHAR* argv[])
{
	HMODULE hJvm = ::LoadLibrary(argv[1]); // path to jvm.dll
    if (hJvm == NULL)
	{
		printf("Could not load jvm.dll\n");
		return 0;
	}
	jni_JNI_CreateJavaVM = (JNI_CREATEJAVAVM)GetProcAddress(hJvm, "JNI_CreateJavaVM");
	if (jni_JNI_CreateJavaVM)
	{
		HANDLE hLogon;
		BOOL result = ::LogonUser(argv[2], // username
			argv[3], // domain
			argv[4], // password
			LOGON32_LOGON_INTERACTIVE,
			LOGON32_PROVIDER_DEFAULT,
			&hLogon);
		if (!result)
		{
			printf("Could not logon user\n");
		}
		else
		{
			if (!::ImpersonateLoggedOnUser(hLogon))
			{
				printf("Could not impersonate user\n");
			}
			else
			{
				JavaVMInitArgs args;

				const int count = 1;
				JavaVMOption options[count];
				options[0].optionString = "-verbose:jni";
				args.options = options;
				args.nOptions = count;
				args.ignoreUnrecognized = TRUE;
				args.version = JNI_VERSION_1_6;

				JavaVM* jvm = NULL;
				JNIEnv* env = NULL;
				int res = jni_JNI_CreateJavaVM(&jvm, &env, &args);
				if (res == 0)
				{
					printf("Successfully created JVM\n");
				}
				else
				{
					printf("Could not create JVM\n");
				}
			}
		}

	}
	::FreeLibrary(hJvm);
	return 0;
}


---------- END SOURCE ----------

Release Regression From : 6u1
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.
moving to comments section.

                                    

Comments
EVALUATION

http://hg.openjdk.java.net/hsx/hsx17/baseline/rev/47083018c460
                                     
2011-04-22
EVALUATION

http://hg.openjdk.java.net/jdk7/build/hotspot/rev/0b33f0736406
                                     
2010-12-25
EVALUATION

<moved to JDK 7 sub-CR>
                                     
2010-11-19
EVALUATION

In the add_allow_aces() function, we are going over the elements of aces[] array.
  for (int i = 0; i < ace_count; i++) {
     newACLsize += GetLengthSid(aces[i].pSid);
  }

When a non-admin impersonated user calls JNI_CreateJavaVM, crash happens because the pSid of the first element of aces[] array is 0 and without checking for a 0 value we are calling GetLengthSid() and that crashes.
                                     
2010-03-03



Hardware and Software, Engineered to Work Together