JDK-6765546 : Wrong sscanf used to parse CompilerOracle command >= 32 characters could lead to crash
  • Type: Bug
  • Component: hotspot
  • Sub-Component: compiler
  • Affected Version: hs14,7
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2008-10-30
  • Updated: 2011-03-22
  • Resolved: 2011-03-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 Other
6u25Fixed 7Fixed hs20Fixed
Related Reports
Duplicate :  
JDK-6765548 - No checks for unknown command when parsing CompilerOracle command may cause JVM crash/wrong output
Description
Wrong sscanf used to parse CompilerOracle command >= 32 characters could lead to crash
when providing command name >=32 chars to CompilerOracle (either using command line or .hotspot_compiler file).

The root cause is in vm\compiler\compilerOracle.cpp, parse_command_name(const char*, int*):

static OracleCommand parse_command_name(const char * line, int* bytes_read) {
  ...
  char command[32];
  int result = sscanf(line, "%32[a-z]%n", command, bytes_read);
  ...
}


sscanf writes <=32 matching characters + null terminator character to char
array that should be long enough. 

When specifying command name equal to or longer than 32 characters [a-z],
sscanf will write null terminator character out of command[32] array bounds,
that produces crash or possible wrong behavior depending on compiler mode.


To reproduce try to do:
 java -XX:CompileCommand=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx,a/b/c.d -version
Comments
EVALUATION 6765546: Wrong sscanf used to parse CompilerOracle command >= 32 characters could lead to crash Reviewed-by: kvn, iveresov The buffer for a sscanf isn't long enough to include the null termination and we're missing a check for unknown commands. Tested with various command lines. I also fixed a bug with rejecting signatures including [
15-12-2010
EVALUATION http://hg.openjdk.java.net/jdk7/hotspot-comp/hotspot/rev/781072b12368
15-12-2010
SUGGESTED FIX Suggested fix: replace 'char command[32];' with 'char command[33];' or replace '%32' with '%31' in compilerOracle.cpp.
30-10-2008