Null pointer dereference vulnerabilities in JamVM
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| gcc |
New
|
Critical
|
|||
| jamvm (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
Null pointer dereference vulnerabilities in JamVM caused by not handling a NullPointerExce
JamVM version 1.5.1 and Classpath 0.98
The following bugs result in crashing the JamVM due to dereferencing a null object (or more precisely a pointer).
Some explanation on how the bugs work follow:
Let's start by showing the malicious code:
class test3 {
public static void main(String[] args) {
(new java.awt.
}
}
So what we've done above is create a popup menu without a parent container. The show() method in java.awt.PopupMenu
will work only if the PopupMenu is added to a parent and when the parent is visible, otherwise it should throw a
NullPointerExce
In our (JamVM) case thats not happening, and the object (pointer) is null, which then travels and is dereferenced
at Jam_GetObjectField inside jni.c
Vulnerable function (jni.c) :
00803 jobject Jam_GetObjectFi
00804 FieldBlock *fb = (FieldBlock *) fieldID;
00805 Object *ob = (Object*) obj;
00806 return (jobject) addJNILref(
00807 }
TEST@LP:~/test$ jamvm test2
Segmentation fault (core dumped)
GDB output and ob
(gdb) bt
#0 0x08058dfb in Jam_GetObjectField (env=0x807617c, obj=0x0, fieldID=0x8d979b8) at jni.c:806
#1 0xad33e3a6 in gtkpeer_get_widget () from /usr/lib/
#2 0xad334832 in Java_gnu_
#3 0x0806e48b in callJNIMethod (env=0x807617c, class=0x0, sig=0x8e44030 "(Lgnu/
f=0xad3347f0 "U\211å\
#4 0x08053011 in callJNIWrapper (class=0x0, mb=0x8e4a560, ostack=0x8c5a29c) at dll.c:418
#5 0x08053cbc in resolveNativeWr
#6 0x0806e0d0 in executeJava () at interp.c:2267
#7 0x08054c37 in executeMethodVaList (ob=0x0, class=0xafe2bf60, mb=0x8d5c970, jargs=0xbfaf6000 "") at execute.c:101
#8 0x08054d42 in executeMethodArgs (ob=0x0, class=0xafe2bf60, mb=0x8d5c970) at execute.c:73
#9 0x0804acbb in main (argc=2, argv=0xbfaf6124) at jam.c:350
(gdb) print ob
$1 = (Object *) 0x0
similarly and with the exact same ending is java.awt.FileDialog and addNotify
class test2 {
public static void main(String[] args) {
(new java.awt.
}
TEST@LP:~/test$ jamvm test2
Segmentation fault (core dumped)
GDB output
(gdb) bt
#0 0x08058dfb in Jam_GetObjectField (env=0x807617c, obj=0x0, fieldID=0x998db70) at jni.c:806
#1 0xad2703a6 in gtkpeer_get_widget () from /usr/lib/
#2 0xad262e0d in Java_gnu_
#3 0x0806e48b in callJNIMethod (env=0x807617c, class=0x0, sig=0x99bc380 "(Lgnu/
f=0xad262dd0 "U\211åWVSè¼2ÿÿ
#4 0x08053011 in callJNIWrapper (class=0x0, mb=0x99bd2c8, ostack=0x984d2e0) at dll.c:418
#5 0x08053cbc in resolveNativeWr
#6 0x0806e0d0 in executeJava () at interp.c:2267
#7 0x08054c37 in executeMethodVaList (ob=0x0, class=0xafd5df58, mb=0x994f9c8, jargs=0xbf929e30 "") at execute.c:101
#8 0x08054d42 in executeMethodArgs (ob=0x0, class=0xafd5df58, mb=0x994f9c8) at execute.c:73
#9 0x0804acbb in main (argc=2, argv=0xbf929f54) at jam.c:350
Note that if we use this code in Kaffe, it will fail an assertion in both cases:
TEST@LP:~/test$ kaffe test2
kaffe-bin:
/build/
cp_gtk_
table->clazz)' failed.
Aborted (core dumped)
TEST@LP:~/test$ kaffe test3
kaffe-bin:
/build/
classpath/
`(*env)
Aborted (core dumped)
------
These bugs have been reported as security vulnerabilities as they lead to Denial of Services
| Jamie Strandboge (jdstrand) wrote | #1 |
| Changed in jamvm: | |
| status: | New → Confirmed |
| E.Kellinis (e.k) wrote | #2 |
| Jamie Strandboge (jdstrand) wrote | #3 |
| Changed in gcc: | |
| status: | Unknown → New |
| Xerxes Rånby (xranby) wrote | #4 |
| Xerxes Rånby (xranby) wrote | #5 |
| Changed in gcc: | |
| importance: | Unknown → Critical |
Thank you for using Ubuntu and taking the time to report a bug. Is this something that you discovered? Has it already been reported upstream and public?