From patchwork Tue Jun 11 06:47:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rohini Sangam X-Patchwork-Id: 44886 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02BF0C25B76 for ; Tue, 11 Jun 2024 06:47:25 +0000 (UTC) Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) by mx.groups.io with SMTP id smtpd.web11.3563.1718088444317928917 for ; Mon, 10 Jun 2024 23:47:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=ONC48TiH; spf=pass (domain: mvista.com, ip: 209.85.210.175, mailfrom: rsangam@mvista.com) Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-705959a2dfbso1420290b3a.1 for ; Mon, 10 Jun 2024 23:47:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1718088443; x=1718693243; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=AVEKoCNlORV05sgEZksE+Kr6SsHTAxVvlwxhBv56qMI=; b=ONC48TiHdfn7cT8XEPj/utiAHKz+yyvMvuSejwE4cGSAQYBF8HDKku42TDRUYlTLj7 omTUkPMd0u4TUyDfEUtSvWvbmvilfBJP+5dd+EW8USKx6A9d+JfON1ltWjA1WNMB1aJ1 Sj9sXc1cdwj408hpBtxl91JU/KGeZSKE6bCyg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718088443; x=1718693243; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AVEKoCNlORV05sgEZksE+Kr6SsHTAxVvlwxhBv56qMI=; b=wTSR8jwAxAKqybZ11MXFp/g+7J1IB35Hs/1IR0kHonTDKnFIx5bPCordw3W+zhbiqe 3S7dK3cnIWw731vsnAXQK65bNPXUDVuonv2ZSxHoynrzgzaFE72+byJ0Ej5COcikdeuv xMmmLSejoU5zg7/mNA9d9Lk7IFlmb5AvJJoHZmy/VQXFRgd3Dn343pLfDemAxuraGhhM WXi8HEQMqTePqIBJvvholNBGUQ7Ixs6EZMjTrESlDkd75HD0OQIxK2ri/oQubCZexaFb f0ulZZjZSVFrP8p8gMjGUOJgHPWQFgZA6CWCimJV738V131+F5go1YskoQfUWShq5oeg 44ew== X-Gm-Message-State: AOJu0YxM3zUpETgnjKYoA7JdehWp+sXZKETMi35LnLxTvpRJYCo8xrGj bpdy5jXB4MzZ+mYnpxckfTCbHeSOnwqG67YVmyeT2VDzwmH++LmNrqMvZ42Tcb6qGyptColJnLu b X-Google-Smtp-Source: AGHT+IH7Qd1nD0WpRIuaZ6AQYf1dqGXGmJYRwpT2OQ5HQAA+Os5UIRBFqkDmv3WN4pXP9D1I2J8V5g== X-Received: by 2002:a05:6a00:2d89:b0:704:3580:8e16 with SMTP id d2e1a72fcca58-705a85ea881mr2942280b3a.17.1718088443064; Mon, 10 Jun 2024 23:47:23 -0700 (PDT) Received: from MVIN00040.mvista.com ([49.207.200.132]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-70413dc54f7sm6310614b3a.196.2024.06.10.23.47.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Jun 2024 23:47:22 -0700 (PDT) From: Rohini Sangam To: openembedded-devel@lists.openembedded.org Cc: Rohini Sangam , Siddharth Doshi Subject: [meta-java][kirkstone][PATCH] openjdk-8: Security fix for CVE-2024-21094 Date: Tue, 11 Jun 2024 12:17:13 +0530 Message-Id: <20240611064713.33342-1-rsangam@mvista.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Jun 2024 06:47:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/110817 CVE fixed: -CVE-2024-21094 OpenJDK: C2 compilation fails with "Exceeded _node_regs array" (8317507) Upstream-Status: Backport from https://github.com/openjdk/jdk8u/commit/43cb87550865a93c559c9e8eaa59fcb071301bd3 Signed-off-by: Rohini Sangam Signed-off-by: Siddharth Doshi --- .../openjdk/openjdk-8-release-common.inc | 1 + .../patches-openjdk-8/CVE-2024-21094.patch | 637 ++++++++++++++++++ 2 files changed, 638 insertions(+) create mode 100644 recipes-core/openjdk/patches-openjdk-8/CVE-2024-21094.patch diff --git a/recipes-core/openjdk/openjdk-8-release-common.inc b/recipes-core/openjdk/openjdk-8-release-common.inc index ff8d96e..f71eb10 100644 --- a/recipes-core/openjdk/openjdk-8-release-common.inc +++ b/recipes-core/openjdk/openjdk-8-release-common.inc @@ -21,6 +21,7 @@ PATCHES_URI = "\ file://2007-jdk-no-genx11-in-headless.patch \ file://2008-jdk-no-unused-deps.patch \ file://2009-jdk-make-use-gcc-instead-of-ld-for-genSocketOptionRe.patch \ + file://CVE-2024-21094.patch \ " HOTSPOT_UB_PATCH = "\ file://1001-hotspot-fix-crash-on-JNI_CreateJavaVM.patch \ diff --git a/recipes-core/openjdk/patches-openjdk-8/CVE-2024-21094.patch b/recipes-core/openjdk/patches-openjdk-8/CVE-2024-21094.patch new file mode 100644 index 0000000..1852bd7 --- /dev/null +++ b/recipes-core/openjdk/patches-openjdk-8/CVE-2024-21094.patch @@ -0,0 +1,637 @@ +From 43cb87550865a93c559c9e8eaa59fcb071301bd3 Mon Sep 17 00:00:00 2001 +From: Martin Balao +Date: Wed, 27 Mar 2024 03:21:25 +0000 +Subject: [PATCH] CVE-2024-21094: 8317507: C2 compilation fails with "Exceeded _node_regs + array" + +Upstream-Status: Backport from https://github.com/openjdk/jdk8u/commit/43cb87550865a93c559c9e8eaa59fcb071301bd3 +CVE: CVE-2024-21094 + +Signed-off-by: Rohini Sangam +--- + .../hotspot/src/share/vm/adlc/output_c.cpp | 2 + + .../regalloc/TestNodeRegArrayOverflow.java | 599 ++++++++++++++++++ + 2 files changed, 601 insertions(+) + create mode 100644 hotspot/test/compiler/regalloc/TestNodeRegArrayOverflow.java + +diff --git a/hotspot/src/share/vm/adlc/output_c.cpp b/hotspot/src/share/vm/adlc/output_c.cpp +index 19916904..b85123b4 100644 +--- a/hotspot/src/share/vm/adlc/output_c.cpp ++++ b/hotspot/src/share/vm/adlc/output_c.cpp +@@ -3023,6 +3023,8 @@ static void define_fill_new_machnode(bool used, FILE *fp_cpp) { + fprintf(fp_cpp, " if( i != cisc_operand() ) \n"); + fprintf(fp_cpp, " to[i] = _opnds[i]->clone(C);\n"); + fprintf(fp_cpp, " }\n"); ++ fprintf(fp_cpp, " // Do not increment node index counter, since node reuses my index\n"); ++ fprintf(fp_cpp, " C->set_unique(C->unique() - 1);\n"); + fprintf(fp_cpp, "}\n"); + } + fprintf(fp_cpp, "\n"); +diff --git a/hotspot/test/compiler/regalloc/TestNodeRegArrayOverflow.java b/hotspot/test/compiler/regalloc/TestNodeRegArrayOverflow.java +new file mode 100644 +index 00000000..281524cc +--- /dev/null ++++ b/hotspot/test/compiler/regalloc/TestNodeRegArrayOverflow.java +@@ -0,0 +1,599 @@ ++/* ++ * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package compiler.regalloc; ++ ++/** ++ * @test ++ * @bug 8317507 ++ * @summary Test that C2's PhaseRegAlloc::_node_regs (a post-register-allocation ++ * mapping from machine nodes to assigned registers) does not overflow ++ * in the face of a program with a high-density of CISC spilling ++ * candidate nodes. ++ * @run main/othervm -Xcomp -XX:CompileOnly=compiler.regalloc.TestNodeRegArrayOverflow::testWithCompilerUnrolling ++ -XX:CompileCommand=dontinline,compiler.regalloc.TestNodeRegArrayOverflow::dontInline ++ compiler.regalloc.TestNodeRegArrayOverflow compiler ++ * @run main/othervm -Xcomp -XX:CompileOnly=compiler.regalloc.TestNodeRegArrayOverflow::testWithManualUnrolling ++ -XX:CompileCommand=dontinline,compiler.regalloc.TestNodeRegArrayOverflow::dontInline ++ compiler.regalloc.TestNodeRegArrayOverflow manual ++ */ ++ ++public class TestNodeRegArrayOverflow { ++ ++ static int dontInline() { ++ return 0; ++ } ++ ++ static float testWithCompilerUnrolling(float inc) { ++ int i = 0, j = 0; ++ // This non-inlined method call causes 'inc' to be spilled. ++ float f = dontInline(); ++ // This two-level reduction loop is unrolled 512 times, which is ++ // requested by the SLP-specific unrolling analysis, but not vectorized. ++ // Because 'inc' is spilled, each of the unrolled AddF nodes is ++ // CISC-spill converted (PhaseChaitin::fixup_spills()). Before the fix, ++ // this causes the unique node index counter (Compile::_unique) to grow ++ // beyond the size of the node register array ++ // (PhaseRegAlloc::_node_regs), and leads to overflow when accessed for ++ // nodes that are created later (e.g. during the peephole phase). ++ while (i++ < 128) { ++ for (j = 0; j < 16; j++) { ++ f += inc; ++ } ++ } ++ return f; ++ } ++ ++ // This test reproduces the same failure as 'testWithCompilerUnrolling' ++ // without relying on loop transformations. ++ static float testWithManualUnrolling(float inc) { ++ int i = 0, j = 0; ++ float f = dontInline(); ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ f += inc; ++ return f; ++ } ++ ++ public static void main(String[] args) { ++ switch (args[0]) { ++ case "compiler": ++ testWithCompilerUnrolling(0); ++ break; ++ case "manual": ++ testWithManualUnrolling(0); ++ break; ++ default: ++ throw new IllegalArgumentException("Invalid mode: " + args[0]); ++ } ++ } ++} +-- +2.35.7 +