Vulnerability Development mailing list archives
Re: JNI and buffer overflows (was java and buffer overflows)
From: KF <dotslash () snosoft com>
Date: Thu, 27 Jun 2002 05:21:35 -0400
Ok ONE last email for tonight.... I decided I would test jni with format strings stuff ... so here ya go... Check the contents of the dumpfile this time...
compile this as a .so [root@rcmqa5 JNI]# cat HelloWorld.c #include <stdio.h> #include <stdlib.h> #include "HelloWorld.h" // this header file was generated by javahJNIEXPORT void JNICALL Java_HelloWorld_displayMessage(JNIEnv *env, jobject obj)
{
// char fixed[20];
char *test = getenv("TEST");
// sprintf(fixed, "%s", test);
// printf("%s\n", fixed);
printf(test);
printf("\n");
}
[checkfree@rcmqa5 JNI]$ export TEST=`perl -e 'print "%n" x 8'`
[root@rcmqa5 JNI]# java HelloWorld
SIGSEGV 11 (*) segmentation violation
si_signo [11]: SIGSEGV: (*) segmentation violation
si_errno [0]: Success
si_code [1]: SEGV_MAPERR [addr: 0x0]
stackpointer=0xbffc1ae4
Writing java dump to javacore1992.1025212567.txt ... OK
SIGABRT 6 (*) abort process
stackpointer=0xbffc1558
Aborted
[root@rcmqa5 JNI]# cat javacore1992.1025212567.txt
Thu Jun 27 17:16:07 2002
SIGSEGV received at 14458be5 in unknown. Processing terminated.
J2RE 1.3.0 IBM build cx130-20010626
/usr/dlc/java/jdk130/jre/bin/exe/java HelloWorld
System Properties
-----------------
Java Home Dir: /usr/dlc/java/jdk130/jre
Java DLL Dir: /usr/dlc/java/jdk130/jre/bin
Sys Classpath:
/usr/dlc/java/jdk130/jre/lib/rt.jar:/usr/dlc/java/jdk130/jre/lib/i18n.jar:/usr/dlc/java/jdk130/jre/classes
User Args:-Djava.class.path=:/usr/dlc/java/aia.zip:/etc/httpd/tomcat/lib/servlet.jar:/usr/dlc/java/progress.zip:/usr/dlc/java/progress2.zip
Current Thread Details ---------------------- PID:1992"main" (TID:0x403487e0, sys_thread_t:0x804fba8, state:R, native ID:0x400) prio=5
at HelloWorld.displayMessage(Native Method)
at HelloWorld.main(HelloWorld.java:6)
----- Native Stack -----
-------------------------------------------------------------------------
Operating Environment
---------------------
Host : rcmqa5.(none)
OS Level : 2.4.7-10.#1 Thu Sep 6 17:27:27 EDT 2001
glibc Version : 2.2.4
No. of Procs : 1
Memory Info:
total: used: free: shared: buffers: cached:
Mem: 261599232 123633664 137965568 3706880 26566656 53637120
Swap: 131596288 0 131596288
MemTotal: 255468 kB
MemFree: 134732 kB
MemShared: 3620 kB
Buffers: 25944 kB
Cached: 52380 kB
SwapCached: 0 kB
Active: 20136 kB
Inact_dirty: 61808 kB
Inact_clean: 0 kB
Inact_target: 848 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 255468 kB
LowFree: 134732 kB
SwapTotal: 128512 kB
SwapFree: 128512 kB
NrSwapPages: 32128 pages
User Limits (in bytes except for NOFILE and NPROC) -
RLIMIT_FSIZE : infinity
RLIMIT_DATA : infinity
RLIMIT_STACK : 2093056
RLIMIT_CORE : 0
RLIMIT_NOFILE : 1024
RLIMIT_NPROC : 1023
Application Environment
-----------------------
Signal Handlers -
SIGQUIT : intrDispatchMD (libhpi.so)
SIGILL : intrDispatchMD (libhpi.so)
SIGTRAP : intrDispatchMD (libhpi.so)
SIGABRT : intrDispatchMD (libhpi.so)
SIGFPE : intrDispatchMD (libhpi.so)
SIGBUS : intrDispatchMD (libhpi.so)
SIGSEGV : intrDispatchMD (libhpi.so)
SIGPIPE : ignored
SIGUSR1 : sigusr1Handler (libhpi.so)
SIGUSR2 : unknown handler
Environment Variables -
PWD=/tmp/JNI
LD_ASSUME_KERNEL=2.2.5
TEST=%n%n%n%n%n%n%n%n
REMOTEHOST=10.102.28.231
WRKDIR=/usr/rcm2001
HOSTNAME=rcmqa5
LD_LIBRARY_PATH=/usr/dlc/java/jdk130/jre/bin:/usr/dlc/java/jdk130/jre/bin/classic:/usr/dlc/lib:/usr/dlc/bin:
QTDIR=/usr/lib/qt-2.3.1
CLASSPATH=:/usr/dlc/java/aia.zip:/etc/httpd/tomcat/lib/servlet.jar:/usr/dlc/java/progress.zip:/usr/dlc/java/progress2.zip
LESSOPEN=|/usr/bin/lesspipe.sh %s
PROGRESSCP=:/usr/dlc/java/aia.zip:/etc/httpd/tomcat/lib/servlet.jar:/usr/dlc/java/progress.zip:/usr/dlc/java/progress2.zip:/usr/dlc/java/progress.zip
KDEDIR=/usr
JREHOME=/usr/dlc/java/jdk130/jre/jre
USER=checkfree
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
MACHTYPE=i386-redhat-linux-gnu
DLC=/usr/dlc
MAIL=/var/spool/mail/checkfree
INPUTRC=/etc/inputrc
LANG=en_US
TOMCAT_HOME=/etc/httpd/tomcat
JAVAHOME=/usr/dlc/java/jdk130/jre
JAVA_HOME=/usr/dlc/java/jdk130/
DISPLAY=localhost.localdomain:0.0
LOGNAME=xxxxxxx
SHLVL=2
SHELL=/bin/bash
HOSTTYPE=i386
OSTYPE=linux-gnu
HISTSIZE=1000
TERM=xterm
HOME=/root
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/checkfree/bin:/usr/dlc/java/jdk130/bin:/usr/dlc/java:/usr/dlc/lib:/usr/dlc/bin
JDKHOME=/usr/dlc/java/jdk130/
IBM_JAVA_COMMAND_LINE=/usr/dlc/java/jdk130/jre/bin/exe/java HelloWorld
JAVA_MAIN_VM=1076580148
Full Thread Dump
----------------
PID:2004
"Finalizer" (TID:0x40348708, sys_thread_t:0x80d3808, state:S, native
ID:0xc04) prio=8
at java.lang.Object.wait(Native Method)
at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:114)
at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:129)
at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:168)
----- Native Stack -----
??
-------------------------------------------------------------------------
PID:2003
"Reference Handler" (TID:0x40348750, sys_thread_t:0x80cfab0,
state:S, native ID:0x803) prio=10
at java.lang.Object.wait(Native Method)
at java.lang.Object.wait(Object.java:421)
at java.lang.ref.Reference$ReferenceHandler.run(Reference.java:116)
----- Native Stack -----
pthread_cond_wait at 0x4002eddc in libpthread.so.0
condvarWait at 0x403031d5 in libhpi.so
sysMonitorWait at 0x40304ec5 in libhpi.so
lkMonitorWait at 0x4024b3d0 in libjvm.so
JVM_MonitorWait at 0x4021349e in libjvm.so
mmipSysInvokeJni at 0x40292e94 in libjvm.so
mmisInvokeJniMethodHelper at 0x40292a7d in libjvm.so
mmipInvokeJniMethod at 0x402933d3 in libjvm.so
L0_invokevirtualobject_quick__ at 0x4026cc41 in libjvm.so
mmipExecuteJava at 0x402678a9 in libjvm.so
??
-------------------------------------------------------------------------
PID:2002
"Signal dispatcher" (TID:0x40348798, sys_thread_t:0x80cb168,
state:S, native ID:0x402) prio=5
----- Native Stack -----
pthread_cond_wait at 0x4002eddc in libpthread.so.0
condvarWait at 0x403031d5 in libhpi.so
sysSignalWait at 0x40303b8c in libhpi.so
xmExecuteThread at 0x4029f1da in libjvm.so
__clone at 0x40148f1a in libc.so.6
-------------------------------------------------------------------------
PID:1992
"main" (TID:0x403487e0, sys_thread_t:0x804fba8, state:R, native
ID:0x400) prio=5
at HelloWorld.displayMessage(Native Method)
at HelloWorld.main(HelloWorld.java:6)
----- Native Stack -----
-------------------------------------------------------------------------
Monitor pool info:
Initial monitor count: 32
Minimum number of free monitors before expansion: 5
Pool will next be expanded by: 16
Current total number of monitors: 32
Current number of free monitors: 28
Monitor Pool Dump (inflated object-monitors):
sys_mon_t:0x0804f120 infl_mon_t: 0x0804ecf0:
java.lang.ref.Reference$Lock@4034FE68/4034FE70: <unowned>
Waiting to be notified:
"Reference Handler" (0x80cfab0)
sys_mon_t:0x0804f1b0 infl_mon_t: 0x0804ed30:
java.lang.ref.ReferenceQueue$Lock@40352A70/40352A78: <unowned>
Waiting to be notified:
"Finalizer" (0x80d3808)
JVM System Monitor Dump (registered monitors):
ACS Heap lock: <unowned>
System Heap lock: <unowned>
Sleep lock: <unowned>
Method trace lock: <unowned>
UTF8 Cache lock: <unowned>
Heap lock: <unowned>
Rewrite Code lock: <unowned>
Monitor Cache lock: owner "main" (0x804fba8) 1 entry
JNI Pinning lock: <unowned>
JNI Global Reference lock: <unowned>
Classloader lock: <unowned>
Linking class lock: <unowned>
Binclass lock: <unowned>
Monitor Registry lock: owner "main" (0x804fba8) 1 entry
Thread queue lock: owner "main" (0x804fba8) 1 entry
Thread identifiers (as used in flat monitors):
ident 5 "Finalizer" (0x80d3808) ee 0x080d363c
ident 4 "Reference Handler" (0x80cfab0) ee 0x080cf8e4
ident 3 "Signal dispatcher" (0x80cb168) ee 0x080caf9c
ident 2 "main" (0x804fba8) ee 0x0804f9dc
Java Object Monitor Dump (flat & inflated object-monitors):
java.lang.ref.Reference$Lock@4034FE68/4034FE70
locknflags 80000200 Monitor inflated infl_mon 0x0804ecf0
java.lang.ref.ReferenceQueue$Lock@40352A70/40352A78
locknflags 80000400 Monitor inflated infl_mon 0x0804ed30
-KF
KF wrote:
Btw this ended up causing a Kernel "oops" about 2 minutes later I went to telnet back in and the box was dead...[root@localhost root]# telnet 10.102.31.45 Trying 10.102.31.45... telnet: connect to address 10.102.31.45: No route to hostI go to the box and got a big nasty Kernel oops dump on the screen. The oops was from kswapd.-KF KF wrote:Here is how the JNI overflow situation plays out... I took an 5 minutes or so today to learn how to use JNI and here is what I came up with.Make a jni interface... ....
Current thread:
- Re: Java and buffer overflows, (continued)
- Re: Java and buffer overflows Rafael Anschau (Jun 25)
- Re: Java and buffer overflows Branko Ivanovic (Jun 26)
- Re: Java and buffer overflows Nelson Sampaio Araujo Junior (Jun 26)
- Re: Java and buffer overflows Rafael Anschau (Jun 26)
- Re: Java and buffer overflows Dave Aitel (Jun 26)
- Re: Java and buffer overflows KF (Jun 27)
- Re: Java and buffer overflows Dave Aitel (Jun 27)
- RE: Java and buffer overflows Zacharias Pigadas (Jun 28)
- JNI and buffer overflows (was java and buffer overflows) KF (Jun 28)
- Re: JNI and buffer overflows (was java and buffer overflows) KF (Jun 28)
- Re: JNI and buffer overflows (was java and buffer overflows) KF (Jun 28)
- Re: Java and buffer overflows Rafael Anschau (Jun 25)
- Re: Java and buffer overflows Loki (Jun 26)