JDK-6837842 : JNI_CreateJavaVM crashes under impersonation
  • Type: Bug
  • Component: hotspot
  • Sub-Component: runtime
  • Affected Version: 6u10,6u13
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2009-05-06
  • Updated: 2012-10-08
  • Resolved: 2010-05-04
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 Other
6u20-rev b05Fixed 7Fixed hs16.3Fixed
Description
FULL PRODUCT VERSION :
java version "1.6.0_13"
Java(TM) SE Runtime Environment (build 1.6.0_13-b03)
Java HotSpot(TM) Client VM (build 11.3-b02, mixed mode)


FULL OS VERSION :
Microsoft Windows XP [Version 5.1.2600]
(can be also reproduced on Microsoft Windows 2000)

A DESCRIPTION OF THE PROBLEM :
JNI_CreateJavaVM started crashing when run under the impersonation on Windows in latest versions of the JDK. It was working fine in version 1.6.0_01 and it was crashing in version 1.6.0_04 and is still crashing in the latest 1.6.0_13 version.
It seems that there was a change in the implementation of JNI_CreateJavaVM between versions 1.6.0_01 and 1.6.0_04 that causes the crash.

THE PROBLEM WAS REPRODUCIBLE WITH -Xint FLAG: Did not try

THE PROBLEM WAS REPRODUCIBLE WITH -server FLAG: Did not try

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile the C++ code below.
Run the generated executable with the following command line arguments:

exe_name.exe path_to_jvm.dll username domain password

where:
path_to_jvm.dll is a full path to the jvm.dll
username is the name of the user
domain is the name of the user domain
password is the user password in the domain

EXPECTED VERSUS ACTUAL BEHAVIOR :
If jvm.dll from version 1.6.0_01 is specified as an argument, the program outputs "Successfully created JVM". If jvm.dll from version 1.6.0_13 is used, the program crashes in the call to JNI_CreateJavaVM.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
First-chance exception at 0x7c9136be in JavaImpersonation.exe: 0xC0000005: Access violation reading location 0x00000001.
Unhandled exception at 0x7c9136be in JavaImpersonation.exe: 0xC0000005: Access violation reading location 0x00000001.

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
#include <tchar.h>
#include <stdio.h>
#include <jni.h>
#include <windows.h>

typedef jint (JNICALL *JNI_CREATEJAVAVM)(JavaVM **, JNIEnv **, void *);

JNI_CREATEJAVAVM jni_JNI_CreateJavaVM = NULL;
//
// USAGE:
// name_of_exe.exe path_to_jvm username domain password
//
int _tmain(int argc, _TCHAR* argv[])
{
	HMODULE hJvm = ::LoadLibrary(argv[1]); // path to jvm.dll
    if (hJvm == NULL)
	{
		printf("Could not load jvm.dll\n");
		return 0;
	}
	jni_JNI_CreateJavaVM = (JNI_CREATEJAVAVM)GetProcAddress(hJvm, "JNI_CreateJavaVM");
	if (jni_JNI_CreateJavaVM)
	{
		HANDLE hLogon;
		BOOL result = ::LogonUser(argv[2], // username
			argv[3], // domain
			argv[4], // password
			LOGON32_LOGON_INTERACTIVE,
			LOGON32_PROVIDER_DEFAULT,
			&hLogon);
		if (!result)
		{
			printf("Could not logon user\n");
		}
		else
		{
			if (!::ImpersonateLoggedOnUser(hLogon))
			{
				printf("Could not impersonate user\n");
			}
			else
			{
				JavaVMInitArgs args;

				const int count = 1;
				JavaVMOption options[count];
				options[0].optionString = "-verbose:jni";
				args.options = options;
				args.nOptions = count;
				args.ignoreUnrecognized = TRUE;
				args.version = JNI_VERSION_1_6;

				JavaVM* jvm = NULL;
				JNIEnv* env = NULL;
				int res = jni_JNI_CreateJavaVM(&jvm, &env, &args);
				if (res == 0)
				{
					printf("Successfully created JVM\n");
				}
				else
				{
					printf("Could not create JVM\n");
				}
			}
		}

	}
	::FreeLibrary(hJvm);
	return 0;
}


---------- END SOURCE ----------

Release Regression From : 6u1
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.
moving to comments section.

Comments
EVALUATION http://hg.openjdk.java.net/hsx/hsx17/baseline/rev/47083018c460
22-04-2011

EVALUATION http://hg.openjdk.java.net/jdk7/build/hotspot/rev/0b33f0736406
25-12-2010

EVALUATION <moved to JDK 7 sub-CR>
19-11-2010

EVALUATION In the add_allow_aces() function, we are going over the elements of aces[] array. for (int i = 0; i < ace_count; i++) { newACLsize += GetLengthSid(aces[i].pSid); } When a non-admin impersonated user calls JNI_CreateJavaVM, crash happens because the pSid of the first element of aces[] array is 0 and without checking for a 0 value we are calling GetLengthSid() and that crashes.
03-03-2010