From a60608e7a35aeeed57bcce641d4957de1e4b4def Mon Sep 17 00:00:00 2001 From: Alex Menkov Date: Tue, 16 Jul 2024 18:10:47 +0000 Subject: [PATCH] 8334169: Long arguments of attach operation are silently truncated on Windows Reviewed-by: sspitsyn, cjplummer --- .../native/libattach/VirtualMachineImpl.c | 48 +++-- .../serviceability/attach/LongArgTest.java | 179 ++++++++++++++++++ 2 files changed, 212 insertions(+), 15 deletions(-) create mode 100644 test/hotspot/jtreg/serviceability/attach/LongArgTest.java diff --git a/src/jdk.attach/windows/native/libattach/VirtualMachineImpl.c b/src/jdk.attach/windows/native/libattach/VirtualMachineImpl.c index 3e3118c327f..a8b17c22d83 100644 --- a/src/jdk.attach/windows/native/libattach/VirtualMachineImpl.c +++ b/src/jdk.attach/windows/native/libattach/VirtualMachineImpl.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -54,8 +54,8 @@ typedef jint (WINAPI* EnqueueOperationFunc) static HANDLE doPrivilegedOpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); -/* convert jstring to C string */ -static void jstring_to_cstring(JNIEnv* env, jstring jstr, char* cstr, int len); +/* Converts jstring to C string, returns JNI_FALSE if the string has been truncated. */ +static jboolean jstring_to_cstring(JNIEnv* env, jstring jstr, char* cstr, size_t cstr_buf_size); /* @@ -75,9 +75,9 @@ typedef struct { char jvmLib[MAX_LIBNAME_LENGTH]; /* "jvm.dll" */ char func1[MAX_FUNC_LENGTH]; char func2[MAX_FUNC_LENGTH]; - char cmd[MAX_CMD_LENGTH]; /* "load", "dump", ... */ - char arg[MAX_ARGS][MAX_ARG_LENGTH]; /* arguments to command */ - char pipename[MAX_PIPE_NAME_LENGTH]; + char cmd[MAX_CMD_LENGTH + 1]; /* "load", "dump", ... */ + char arg[MAX_ARGS][MAX_ARG_LENGTH + 1]; /* arguments to command */ + char pipename[MAX_PIPE_NAME_LENGTH + 1]; } DataBlock; /* @@ -377,7 +377,6 @@ JNIEXPORT jint JNICALL Java_sun_tools_attach_VirtualMachineImpl_readPipe return (jint)nread; } - /* * Class: sun_tools_attach_VirtualMachineImpl * Method: enqueue @@ -410,7 +409,11 @@ JNIEXPORT void JNICALL Java_sun_tools_attach_VirtualMachineImpl_enqueue /* * Command and arguments */ - jstring_to_cstring(env, cmd, data.cmd, MAX_CMD_LENGTH); + if (!jstring_to_cstring(env, cmd, data.cmd, sizeof(data.cmd))) { + JNU_ThrowByName(env, "com/sun/tools/attach/AttachOperationFailedException", + "command is too long"); + return; + } argsLen = (*env)->GetArrayLength(env, args); if (argsLen > 0) { @@ -423,7 +426,11 @@ JNIEXPORT void JNICALL Java_sun_tools_attach_VirtualMachineImpl_enqueue if (obj == NULL) { data.arg[i][0] = '\0'; } else { - jstring_to_cstring(env, obj, data.arg[i], MAX_ARG_LENGTH); + if (!jstring_to_cstring(env, obj, data.arg[i], sizeof(data.arg[i]))) { + JNU_ThrowByName(env, "com/sun/tools/attach/AttachOperationFailedException", + "argument is too long"); + return; + } } if ((*env)->ExceptionOccurred(env)) return; } @@ -433,7 +440,11 @@ JNIEXPORT void JNICALL Java_sun_tools_attach_VirtualMachineImpl_enqueue } /* pipe name */ - jstring_to_cstring(env, pipename, data.pipename, MAX_PIPE_NAME_LENGTH); + if (!jstring_to_cstring(env, pipename, data.pipename, sizeof(data.pipename))) { + JNU_ThrowByName(env, "com/sun/tools/attach/AttachOperationFailedException", + "pipe name is too long"); + return; + } /* * Allocate memory in target process for data and code stub @@ -615,21 +626,28 @@ doPrivilegedOpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProc return hProcess; } -/* convert jstring to C string */ -static void jstring_to_cstring(JNIEnv* env, jstring jstr, char* cstr, int len) { +/* Converts jstring to C string, returns JNI_FALSE if the string has been truncated. */ +static jboolean jstring_to_cstring(JNIEnv* env, jstring jstr, char* cstr, size_t cstr_buf_size) { jboolean isCopy; const char* str; + jboolean result = JNI_TRUE; if (jstr == NULL) { cstr[0] = '\0'; } else { str = JNU_GetStringPlatformChars(env, jstr, &isCopy); - if ((*env)->ExceptionOccurred(env)) return; + if ((*env)->ExceptionOccurred(env)) { + return result; + } + if (strlen(str) >= cstr_buf_size) { + result = JNI_FALSE; + } - strncpy(cstr, str, len); - cstr[len-1] = '\0'; + strncpy(cstr, str, cstr_buf_size); + cstr[cstr_buf_size - 1] = '\0'; if (isCopy) { JNU_ReleaseStringPlatformChars(env, jstr, str); } } + return result; } diff --git a/test/hotspot/jtreg/serviceability/attach/LongArgTest.java b/test/hotspot/jtreg/serviceability/attach/LongArgTest.java new file mode 100644 index 00000000000..f7d8a330a6b --- /dev/null +++ b/test/hotspot/jtreg/serviceability/attach/LongArgTest.java @@ -0,0 +1,179 @@ +/* + * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @summary Tests that long arguments of attach operation are not truncated + * @bug 8334168 + * @library /test/lib + * @modules jdk.attach/sun.tools.attach + * @run main LongArgTest + */ + +import java.io.BufferedReader; +import java.io.InputStreamReader; +import java.io.InputStream; +import java.io.IOException; + +import com.sun.tools.attach.VirtualMachine; +import sun.tools.attach.HotSpotVirtualMachine; + +import jdk.test.lib.apps.LingeredApp; + +public class LongArgTest { + + // current restriction: max arg size is 1024 + private static int MAX_ARG_SIZE = 1024; + + public static void main(String[] args) throws Exception { + LingeredApp app = null; + try { + app = LingeredApp.startApp(); + + // sanity + test(app) + .mustSucceed() + .run(); + + test(app) + .valueLength(MAX_ARG_SIZE) + .mustSucceed() + .run(); + + test(app) + .valueLength(MAX_ARG_SIZE + 1) + .run(); + + // more than max args (3) with MAX_ARG_SIZE + test(app) + .valueLength(3 * MAX_ARG_SIZE + 1) + .run(); + + } finally { + LingeredApp.stopApp(app); + } + } + + private static Test test(LingeredApp app) { + return new Test(app); + } + + // For simplicity, the test uses internal HotSpotVirtualMachine, + // sets/gets "HeapDumpPath" flag value (string flag, not validated by JVM). + private static class Test { + private LingeredApp app; + private String flagName = "HeapDumpPath"; + private String flagValue = generateValue(5); + private boolean setFlagMustSucceed = false; + + Test(LingeredApp app) { + this.app = app; + } + + Test valueLength(int len) { + flagValue = generateValue(len); + return this; + } + + Test mustSucceed() { + setFlagMustSucceed = true; + return this; + } + + void run() throws Exception { + System.out.println("======== Start ========"); + System.out.println("Arg size = " + flagValue.length()); + + HotSpotVirtualMachine vm = (HotSpotVirtualMachine)VirtualMachine.attach(String.valueOf(app.getPid())); + + if (setFlag(vm)) { + String actualValue = getFlag(vm); + + if (!flagValue.equals(actualValue)) { + String msg = "Actual value is different: "; + if (actualValue == null) { + msg += "null"; + } else if (flagValue.startsWith(actualValue)) { + msg += "truncated from " + flagValue.length() + " to " + actualValue.length(); + } else { + msg += actualValue + ", expected value: " + flagValue; + } + System.out.println(msg); + vm.detach(); + throw new RuntimeException(msg); + } else { + System.out.println("Actual value matches: " + actualValue); + } + } + + vm.detach(); + + System.out.println("======== End ========"); + System.out.println(); + } + + // Sets the flag value, return true on success. + private boolean setFlag(HotSpotVirtualMachine vm) throws Exception { + BufferedReader replyReader = null; + try { + replyReader = new BufferedReader(new InputStreamReader( + vm.setFlag(flagName, flagValue))); + } catch (IOException ex) { + if (setFlagMustSucceed) { + throw ex; + } + System.out.println("OK: setFlag() thrown exception:"); + ex.printStackTrace(System.out); + return false; + } + + String line; + while ((line = replyReader.readLine()) != null) { + System.out.println("setFlag: " + line); + } + replyReader.close(); + return true; + } + + private String getFlag(HotSpotVirtualMachine vm) throws Exception { + // Then read and make sure we get back the same value. + BufferedReader replyReader = new BufferedReader(new InputStreamReader(vm.printFlag(flagName))); + + String prefix = "-XX:" + flagName + "="; + String value = null; + String line; + while((line = replyReader.readLine()) != null) { + System.out.println("getFlag: " + line); + if (line.startsWith(prefix)) { + value = line.substring(prefix.length()); + } + } + return value; + } + + private String generateValue(int len) { + return "X" + "A".repeat(len - 2) + "X"; + } + } + +}