JDK-7075227 : NetworkInterface.getNetworkInterfaces() corrupts heap on IPv6 interfaces
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 6u26
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: linux
  • CPU: x86
  • Submitted: 2011-08-04
  • Updated: 2012-03-20
  • Resolved: 2012-01-01
Related Reports
Duplicate :  
Description
FULL PRODUCT VERSION :
java version "1.6.0_26"
Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
Java HotSpot(TM) 64-Bit Server VM (build 20.1-b02, mixed mode)


ADDITIONAL OS VERSION INFORMATION :
Linux hostname 3.0.0-0300-generic #201107220917 SMP Fri Jul 22 09:20:45 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux


EXTRA RELEVANT SYSTEM CONFIGURATION :
Ubuntu 11.04


A DESCRIPTION OF THE PROBLEM :
When my application calls NetworkInterface.getNetworkInterfaces(), I see the attached error message on stderr indicating heap corruption.

The problem appears to arise from an assumption in the Linux native network interface code (enumIPv6Interfaces() in src/solaris/native/java/net/NetworkInterface.c) that parses /proc/net/if_inet6. It assumes that the interface index field (second column) is always a 2-digit hex value, when in fact the Linux kernel allows up to 31 bits for ifindexes.

Apparently the fscanf ends up parsing various values incorrectly, which causes a buffer overrun. glibc notices the heap corruption when somewhere down the line free() is called.


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Make sure IPv6 is enabled (/proc/sys/net/ipv6/conf/all/disable_ipv6 is 0).

Create and destroy a bunch of tap interfaces (e.g. by running openvpn repeatedly) until the kernel's global interface index exceeds 256. This causes a value in the second column of /proc/net/if_inet6 to exceed 2 hex characters.

For example:
$ cat /proc/net/if_inet6
fe80000000000000f4c3ccfffed31320 203 40 20 80  s5-eth2
fe80000000000000020000fffe000007 206 40 20 80     tap2
fe80000000000000ecca32fffef5704f 1f8 40 20 80  s6-eth1
fe80000000000000a8ecb1fffe514d3c 200 40 20 80  s6-eth3
fe800000000000006c6433fffe91f58f 201 40 20 80  s5-eth1
fe80000000000000020000fffe000005 204 40 20 c0     tap0
fe80000000000000546553fffef2c013 1fc 40 20 80  s7-eth1
fe80000000000000741110fffe5f1ca7 1fa 40 20 c0  s6-eth2
fe80000000000000a079ebfffe52d9f8 1fe 40 20 80  s7-eth2
fe80000000000000020000fffe000006 205 40 20 c0     tap1
fe80000000000000a87997fffeef82d4 202 40 20 c0  s7-eth3
fe80000000000000181cc5fffe960512 1f2 40 20 80     iso1
00000000000000000000000000000001 1f1 80 10 80       lo



ERROR MESSAGES/STACK TRACES THAT OCCUR :
*** glibc detected *** /usr/lib/jvm/java-6-sun-1.6.0.26/bin/java: malloc(): memory corruption: 0x00000000426724e0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x79d7a)[0x2ba0141e3d7a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x6e)[0x2ba0141e631e]
/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libnet.so(+0x5b19)[0x2ba01ba00b19]
/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libnet.so(+0x621e)[0x2ba01ba0121e]
/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libnet.so(+0x59e0)[0x2ba01ba009e0]
/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libnet.so(Java_java_net_NetworkInterface_getAll+0x13)[0x2ba01b9fff23]
[0x2ba016b86b55]
======= Memory map: ========
40000000-40009000 r-xp 00000000 08:02 567370                             /usr/lib/jvm/java-6-sun-1.6.0.26/jre/bin/java
40108000-4010a000 rwxp 00008000 08:02 567370                             /usr/lib/jvm/java-6-sun-1.6.0.26/jre/bin/java
41d23000-42d2f000 rwxp 00000000 00:00 0                                  [heap]
81000000-82f40000 rwxp 00000000 00:00 0
82f40000-86200000 rwxp 00000000 00:00 0
86200000-8b340000 rwxp 00000000 00:00 0
8b340000-d7600000 rwxp 00000000 00:00 0
d7600000-e0400000 rwxp 00000000 00:00 0
e0400000-100000000 rwxp 00000000 00:00 0
2ba013a1a000-2ba013a3b000 r-xp 00000000 08:02 1054815                    /lib/x86_64-linux-gnu/ld-2.13.so
2ba013a3b000-2ba013a3d000 rwxp 00000000 00:00 0
2ba013c3a000-2ba013c3b000 r-xp 00020000 08:02 1054815                    /lib/x86_64-linux-gnu/ld-2.13.so
2ba013c3b000-2ba013c3d000 rwxp 00021000 08:02 1054815                    /lib/x86_64-linux-gnu/ld-2.13.so
2ba013c3d000-2ba013c55000 r-xp 00000000 08:02 1054893                    /lib/x86_64-linux-gnu/libpthread-2.13.so
2ba013c55000-2ba013e55000 ---p 00018000 08:02 1054893                    /lib/x86_64-linux-gnu/libpthread-2.13.so
2ba013e55000-2ba013e56000 r-xp 00018000 08:02 1054893                    /lib/x86_64-linux-gnu/libpthread-2.13.so
2ba013e56000-2ba013e57000 rwxp 00019000 08:02 1054893                    /lib/x86_64-linux-gnu/libpthread-2.13.so
2ba013e57000-2ba013e5c000 rwxp 00000000 00:00 0
2ba013e5c000-2ba013e63000 r-xp 00000000 08:02 679491                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/jli/libjli.so
2ba013e63000-2ba013f64000 ---p 00007000 08:02 679491                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/jli/libjli.so
2ba013f64000-2ba013f66000 rwxp 00008000 08:02 679491                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/jli/libjli.so
2ba013f66000-2ba013f68000 r-xp 00000000 08:02 1054838                    /lib/x86_64-linux-gnu/libdl-2.13.so
2ba013f68000-2ba014168000 ---p 00002000 08:02 1054838                    /lib/x86_64-linux-gnu/libdl-2.13.so
2ba014168000-2ba014169000 r-xp 00002000 08:02 1054838                    /lib/x86_64-linux-gnu/libdl-2.13.so
2ba014169000-2ba01416a000 rwxp 00003000 08:02 1054838                    /lib/x86_64-linux-gnu/libdl-2.13.so
2ba01416a000-2ba0142f4000 r-xp 00000000 08:02 1054828                    /lib/x86_64-linux-gnu/libc-2.13.so
2ba0142f4000-2ba0144f3000 ---p 0018a000 08:02 1054828                    /lib/x86_64-linux-gnu/libc-2.13.so
2ba0144f3000-2ba0144f7000 r-xp 00189000 08:02 1054828                    /lib/x86_64-linux-gnu/libc-2.13.so
2ba0144f7000-2ba0144f8000 rwxp 0018d000 08:02 1054828                    /lib/x86_64-linux-gnu/libc-2.13.so

2ba0144f8000-2ba014501000 rwxp 00000000 00:00 0
2ba014501000-2ba014e1b000 r-xp 00000000 08:02 679520                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/server/libjvm.so
2ba014e1b000-2ba014f1d000 ---p 0091a000 08:02 679520                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/server/libjvm.so
2ba014f1d000-2ba0150d2000 rwxp 0091c000 08:02 679520                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/server/libjvm.so
2ba0150d2000-2ba01510c000 rwxp 00000000 00:00 0
2ba01512b000-2ba0151af000 r-xp 00000000 08:02 1054865                    /lib/x86_64-linux-gnu/libm-2.13.so
2ba0151af000-2ba0153ae000 ---p 00084000 08:02 1054865                    /lib/x86_64-linux-gnu/libm-2.13.so
2ba0153ae000-2ba0153af000 r-xp 00083000 08:02 1054865                    /lib/x86_64-linux-gnu/libm-2.13.so
2ba0153af000-2ba0153b0000 rwxp 00084000 08:02 1054865                    /lib/x86_64-linux-gnu/libm-2.13.so
2ba0153b0000-2ba0153b3000 ---p 00000000 00:00 0
2ba0153b3000-2ba0154b1000 rwxp 00000000 00:00 0
2ba0154b1000-2ba0154b2000 r-xs 00038000 08:02 271618                     /tmp/spring.dm.tld.4375716701332143778.jar
2ba0154d0000-2ba0154d7000 r-xp 00000000 08:02 1054897                    /lib/x86_64-linux-gnu/librt-2.13.so
2ba0154d7000-2ba0156d6000 ---p 00007000 08:02 1054897                    /lib/x86_64-linux-gnu/librt-2.13.so
2ba0156d6000-2ba0156d7000 r-xp 00006000 08:02 1054897                    /lib/x86_64-linux-gnu/librt-2.13.so
2ba0156d7000-2ba0156d8000 rwxp 00007000 08:02 1054897                    /lib/x86_64-linux-gnu/librt-2.13.so
2ba0156d8000-2ba0156e5000 r-xp 00000000 08:02 679494                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libverify.so
2ba0156e5000-2ba0157e4000 ---p 0000d000 08:02 679494                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libverify.so
2ba0157e4000-2ba0157e7000 rwxp 0000c000 08:02 679494                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libverify.so
2ba0157e7000-2ba015810000 r-xp 00000000 08:02 679516                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libjava.so
2ba015810000-2ba01590f000 ---p 00029000 08:02 679516                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libjava.so
2ba01590f000-2ba015916000 rwxp 00028000 08:02 679516                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libjava.so
2ba015916000-2ba015917000 r-xp 00000000 00:00 0
2ba015917000-2ba015918000 rwxp 00000000 00:00 0

2ba015935000-2ba01594c000 r-xp 00000000 08:02 1054868                    /lib/x86_64-linux-gnu/libnsl-2.13.so
2ba01594c000-2ba015b4b000 ---p 00017000 08:02 1054868                    /lib/x86_64-linux-gnu/libnsl-2.13.so
2ba015b4b000-2ba015b4c000 r-xp 00016000 08:02 1054868                    /lib/x86_64-linux-gnu/libnsl-2.13.so
2ba015b4c000-2ba015b4d000 rwxp 00017000 08:02 1054868                    /lib/x86_64-linux-gnu/libnsl-2.13.so
2ba015b4d000-2ba015b4f000 rwxp 00000000 00:00 0
2ba015b4f000-2ba015b85000 r-xp 00000000 08:02 679504                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libjdwp.so
2ba015b85000-2ba015c84000 ---p 00036000 08:02 679504                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libjdwp.so
2ba015c84000-2ba015c8e000 rwxp 00035000 08:02 679504                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libjdwp.so
2ba015c8e000-2ba015c91000 r-xp 00000000 08:02 679505                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libnpt.so
2ba015c91000-2ba015d90000 ---p 00003000 08:02 679505                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libnpt.so
2ba015d90000-2ba015d91000 rwxp 00002000 08:02 679505                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libnpt.so
2ba015d91000-2ba01641b000 r-xp 00000000 08:02 534176                     /usr/lib/locale/locale-archive
2ba01641b000-2ba016423000 rwxs 00000000 08:02 394397                     /tmp/hsperfdata_eswierk/894
2ba01643a000-2ba016442000 r-xp 00000000 08:02 1054870                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
2ba016442000-2ba016641000 ---p 00008000 08:02 1054870                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
2ba016641000-2ba016642000 r-xp 00007000 08:02 1054870                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
2ba016642000-2ba016643000 rwxp 00008000 08:02 1054870                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
2ba016643000-2ba01664e000 r-xp 00000000 08:02 1054878                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
2ba01664e000-2ba01684d000 ---p 0000b000 08:02 1054878                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
2ba01684d000-2ba01684e000 r-xp 0000a000 08:02 1054878                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
2ba01684e000-2ba01684f000 rwxp 0000b000 08:02 1054878                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
2ba01684f000-2ba01685b000 r-xp 00000000 08:02 1054874                    /lib/x86_64-linux-gnu/libnss_files-2.13.so
2ba01685b000-2ba016a5a000 ---p 0000c000 08:02 1054874                    /lib/x86_64-linux-gnu/libnss_files-2.13.so
2ba016a5a000-2ba016a5b000 r-xp 0000b000 08:02 1054874                    /lib/x86_64-linux-gnu/libnss_files-2.13.so
2ba016a5b000-2ba016a5c000 rwxp 0000c000 08:02 1054874                    /lib/x86_64-linux-gnu/libnss_files-2.13.so

2ba016a5c000-2ba016a6a000 r-xp 00000000 08:02 679517                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libzip.so
2ba016a6a000-2ba016b6c000 ---p 0000e000 08:02 679517                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libzip.so
2ba016b6c000-2ba016b6f000 rwxp 00010000 08:02 679517                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/libzip.so
2ba016b6f000-2ba016de0000 rwxp 00000000 00:00 0
2ba016de0000-2ba019b70000 rwxp 00000000 00:00 0
2ba019b70000-2ba019b7a000 rwxp 00000000 00:00 0
2ba019b7a000-2ba019c30000 rwxp 00000000 00:00 0
2ba019c30000-2ba019c40000 rwxp 00000000 00:00 0
2ba019c40000-2ba019c59000 rwxp 00000000 00:00 0
2ba019c59000-2ba019c82000 rwxp 00000000 00:00 0
2ba019c82000-2ba019ee3000 rwxp 00000000 00:00 0
2ba019ee3000-2ba019f2a000 rwxp 00000000 00:00 0
2ba019f2a000-2ba01a028000 rwxp 00000000 00:00 0
2ba01a028000-2ba01a052000 rwxp 00000000 00:00 0
2ba01a052000-2ba01a2b3000 rwxp 00000000 00:00 0
2ba01a2b3000-2ba01a2c3000 rwxp 00000000 00:00 0
2ba01a2c3000-2ba01a2dc000 rwxp 00000000 00:00 0
2ba01a2dc000-2ba01a2dd000 ---p 00000000 00:00 0
2ba01a2dd000-2ba01a3dd000 rwxp 00000000 00:00 0
2ba01a3dd000-2ba01a3de000 ---p 00000000 00:00 0
2ba01a3de000-2ba01a4de000 rwxp 00000000 00:00 0
2ba01a4de000-2ba01a4df000 ---p 00000000 00:00 0
2ba01a4df000-2ba01a5df000 rwxp 00000000 00:00 0
2ba01a5df000-2ba01a5e0000 ---p 00000000 00:00 0
2ba01a5e0000-2ba01a708000 rwxp 00000000 00:00 0
2ba01a708000-2ba01a8a0000 r-xs 03029000 08:02 567496                     /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/rt.jar
2ba01a8a0000-2ba01add9000 rwxp 00000000 00:00 0
2ba01add9000-2ba01adda000 ---p 00000000 00:00 0
2ba01adda000-2ba01aeda000 rwxp 00000000 00:00 0


REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
Disable IPv6 in the kernel network stack by writing 1 to /proc/sys/net/ipv6/conf/all/disable_ipv6 .