JDK-8330133 : libj2pkcs11.so crashes on some pkcs#11 v3.0 libraries
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 21,22,23
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2024-04-11
  • Updated: 2024-04-29
  • Resolved: 2024-04-16
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 21 JDK 23
21.0.5-oracleUnresolved 23 b19Fixed
Related Reports
Relates :  
JDK-8255409 - Support the new C_GetInterfaceList, C_GetInterface, and C_SessionCancel APIs in PKCS#11 v3.0
Description
ADDITIONAL SYSTEM INFORMATION :
Docker / Centos 8 / JDK 18-22

A DESCRIPTION OF THE PROBLEM :
The lines 230-234 of p11_md.c dereferences a NULL pointer, if the loaded PKCS#11 library reports major version 3, but doesn't implement the C_GetInterface function.

Current implementation in JDK 18-22:
    if (((CK_VERSION *)moduleData->ckFunctionListPtr)->major == 3) {
        moduleData->ckFunctionList30Ptr = interface->pFunctionList;
    } else {
        moduleData->ckFunctionList30Ptr = NULL;
    }

Possible fix:
    if (((CK_VERSION *)moduleData->ckFunctionListPtr)->major == 3 && interface != NULL) {
        moduleData->ckFunctionList30Ptr = interface->pFunctionList;
    } else {
        moduleData->ckFunctionList30Ptr = NULL;
    }


REGRESSION : Last worked in version 17.0.10

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Load a pkcs11 native library that reports v3.0 but doesn't implement C_GetInterface()

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The program loads the library without crashing.
ACTUAL -
The java program crashes in libj2pkcs11 because p11_md.c dereferences a null pointer.

---------- BEGIN SOURCE ----------
package com.example;
import java.security.Security;
class Main {
    public static void main(String[] args) {
        Security.getProvider("SunPKCS11").configure("pkcs11.cfg");
    }
}
/* pkcs11.cfg contains something like
name=PKCS11
library=/opt/pkcs11/lib64/libpkcs11.so
slot=1
*/
---------- END SOURCE ----------

FREQUENCY : always
Comments
Changeset: d1c6cd10 Author: Valerie Peng <valeriep@openjdk.org> Date: 2024-04-16 22:47:02 +0000 URL: https://git.openjdk.org/jdk/commit/d1c6cd104ec117b88c45aafcb342164be4483f94
16-04-2024
A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/18789 Date: 2024-04-16 00:15:34 +0000
16-04-2024
Added noreg-hard due to the requirement of special PKCS11 library. Also removed reproducer-yes label due to no special PKCS11 library provided.
15-04-2024
Hmm, interesting. Guess we can't assume that PKCS#11 v3.0 library would provide the proper interface structure. Will add the interface != null check when necessary.
15-04-2024
The problematic source code can be found at: https://github.com/openjdk/jdk/blob/master/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11/p11_md.c#L221 By further investigating the following source code: https://github.com/openjdk/jdk/commit/83e6a4c0e9e4a9474ae0c1252378b1a09d1d2df0 It looks like the issue was introduced by JDK-8255409.
12-04-2024