Here is how the JNI overflow situation plays out... I took an 5 minutes or so today to learn how to use JNI and here is what I came up with. Make a jni interface... [root@rcmqa5 JNI]# cat HelloWorld.java class HelloWorld { public static void main(String args[]) { HelloWorld hello = new HelloWorld(); hello.displayMessage(); } public native void displayMessage(); static { System.loadLibrary("HelloWorldImp"); } } compile it [root@rcmqa5 JNI]# javac HelloWorld.java get the jni headers from it [root@rcmqa5 JNI]# javah -jni HelloWorld [root@rcmqa5 JNI]# cat HelloWorld.h /* DO NOT EDIT THIS FILE - it is machine generated */ #include <jni.h> /* Header for class HelloWorld */ #ifndef _Included_HelloWorld #define _Included_HelloWorld #ifdef __cplusplus extern "C" { #endif /* * Class: HelloWorld * Method: displayMessage * Signature: ()V */ JNIEXPORT void JNICALL Java_HelloWorld_displayMessage (JNIEnv *, jobject); #ifdef __cplusplus } #endif #endif Make a .c file with the methods to run when the JNI call is made [root@rcmqa5 JNI]# cat HelloWorld.c #include <stdio.h> #include <stdlib.h> #include "HelloWorld.h" // this header file was generated by javah JNIEXPORT void JNICALL Java_HelloWorld_displayMessage(JNIEnv *env, jobject obj) { char fixed[20]; char *test = getenv("TEST"); sprintf(fixed, "%s", test); printf("%s\n", fixed); } Compile this .c file as a shared object. [root@rcmqa5 JNI]# cc -o libHelloWorldImp.so -shared HelloWorld.c -I/usr/dlc/java/jdk130/include/ Now we have a .class and a .so ... we should be ready to roll [root@rcmqa5 JNI]# ls -al total 32 drwxr-xr-x 2 root root 4096 Jun 27 16:36 . drwxrwxrwt 6 root root 4096 Jun 27 16:36 .. -rw-r--r-- 1 root root 203 Jun 27 16:31 HelloWorld.c -rw-r--r-- 1 root root 473 Jun 27 16:35 HelloWorld.class -rw-r--r-- 1 root root 395 Jun 27 16:31 HelloWorld.h -rw-r--r-- 1 root root 235 Jun 27 16:30 HelloWorld.java -rwxr-xr-x 1 root root 5415 Jun 27 16:36 libHelloWorldImp.so [root@rcmqa5 JNI]# export TEST=`perl -e 'print "A" x 50'` [root@rcmqa5 JNI]# java HelloWorld AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SIGSEGV 11 (*) segmentation violation si_signo [11]: SIGSEGV: (*) segmentation violation si_errno [0]: Success si_code [1]: SEGV_MAPERR [addr: 0x33] stackpointer=0xbffc1ae4 Writing java dump to javacore14629.1025210621.txt ... At this point the session totally hung... (telnet) the javacore14629.blah.txt was never written to... -rw-r--r-- 1 root root 0 Jun 27 16:43 javacore14629.1025210621.txt oddly enough I tryed a HUGE value ... and got totally different results. [root@rcmqa5 JNI]# export TEST=`perl -e 'print "A" x 5000'` [root@rcmqa5 JNI]# java HelloWorld AAAAAAAAAAAAAAAAAAAAA....... (process hung) login on different terminal... type ps -ef root 14863 2877 0 16:50 ? 00:00:00 /usr/dlc/java/jdk130/jre/bin/exe root 14864 2877 0 16:50 ? 00:00:00 /usr/dlc/java/jdk130/jre/bin/exe root 14865 14786 99 16:50 pts/3 00:00:03 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA root 14874 14865 0 16:50 pts/3 00:00:00 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA root 14875 14874 0 16:50 pts/3 00:00:00 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA root 14876 14874 0 16:50 pts/3 00:00:00 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA root 14877 14874 0 16:50 pts/3 00:00:00 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [root@rcmqa5 JNI]# gdb blah 14865 GNU gdb Red Hat Linux 7.x (5.0rh-15) (MI_OUT) Copyright 2001 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"...blah: No such file or directory. /tmp/JNI/14865: No such file or directory. Attaching to process 14865 0x40266aae in ?? () (gdb) bt #0 0x40266aae in ?? () #1 0x4030379d in ?? () #2 0x4030378a in ?? () #3 0x40303a76 in ?? () #4 0x40033517 in ?? () #5 <signal handler called> #6 0x40307d03 in ?? () #7 0x40299bbb in ?? () #8 0x40266abf in ?? () #9 0x4030379d in ?? () #10 0x4030378a in ?? () #11 0x40303a76 in ?? () #12 0x40033517 in ?? () #13 <signal handler called> #14 0x40307d03 in ?? () #15 0x40299bbb in ?? () #16 0x40266abf in ?? () #17 0x4030379d in ?? () #18 0x4030378a in ?? () #19 0x40303a76 in ?? () #20 0x40033517 in ?? () #21 <signal handler called> -KF KF wrote: > So what you are saying is that you found a buffer overflow in some > code that uses JNI? As in there was some c based code that the java > invoked? I am currious to see how this works. > -KF > > > Dave Aitel wrote: > >> Although, as another poster said, native code invocation is going to >> continue to be a problem for managed languages such as Java and C# in >> the years to come. >> I've found a buffer overflow in native code invoked by a major >> application server that happened to be written in Java. It's fixed now, >> btw. :> >> >> -dave >> >> >> > > > >
This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 10:45:21 PDT