Mercurial > hg > release > icedtea6-1.5
changeset 1565:d70ae78f89c2
PR381 Stackoverflow error with SecurityManager, signed jar and debug
2009-08-31 Mark Wielaard <mjw@redhat.com>
Keith Seitz <keiths@redhat.com>
* patches/icedtea-use-system-tzdata.patch: Updated to initialize
JAVAZI_DIR once and inside a AccessController.doPrivileged() block.
* patches/icedtea-timezone-default-permission.patch: New patch.
* overlays/openjdk/jdk/test/java/util/TimeZone/
(TimeZoneDatePermissionCheck.java, TimeZoneDatePermissionCheck.sh):
New test.
* Makefile.am: Add new patch.
* HACKING: Describe new patch.
| author | Mark Wielaard <mjw@redhat.com> |
|---|---|
| date | Mon, 31 Aug 2009 07:45:07 +0200 |
| parents | 99966695a8f7 |
| children | 4d6173b707ea |
| files | ChangeLog HACKING Makefile.am overlays/openjdk/jdk/test/java/util/TimeZone/TimeZoneDatePermissionCheck.java overlays/openjdk/jdk/test/java/util/TimeZone/TimeZoneDatePermissionCheck.sh patches/icedtea-timezone-default-permission.patch patches/icedtea-use-system-tzdata.patch |
| diffstat | 7 files changed, 184 insertions(+), 34 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Thu Aug 20 20:42:36 2009 +0100 +++ b/ChangeLog Mon Aug 31 07:45:07 2009 +0200 @@ -1,3 +1,16 @@ +2009-08-31 Mark Wielaard <mjw@redhat.com> + Keith Seitz <keiths@redhat.com> + + PR381 Stackoverflow error with SecurityManager, signed jar and debug + * patches/icedtea-use-system-tzdata.patch: Updated to initialize + JAVAZI_DIR once and inside a AccessController.doPrivileged() block. + * patches/icedtea-timezone-default-permission.patch: New patch. + * overlays/openjdk/jdk/test/java/util/TimeZone/ + (TimeZoneDatePermissionCheck.java, TimeZoneDatePermissionCheck.sh): + New test. + * Makefile.am: Add new patch. + * HACKING: Describe new patch. + 2009-08-20 Andrew John Hughes <ahughes@redhat.com> * Makefile.am:
--- a/HACKING Thu Aug 20 20:42:36 2009 +0100 +++ b/HACKING Mon Aug 31 07:45:07 2009 +0200 @@ -112,8 +112,12 @@ * icedtea-lucene-crash.patch: Fix lucene bad code generation bug #6707044. * icedtea-6700047-loopopts.patch: Fix partial peeling issue, bug #6700047. * icedtea-6712835-ifnode.patch: Fix infinite loop in PhaseIterGVN::transform. -* icedtea-timezone.patch : Makes java only look for time zone information in /etc/sysconfig/clock if /etc/localtime is not found (fix - for rh-489586) +* icedtea-timezone.patch : Makes java only look for time zone information in + /etc/sysconfig/clock if /etc/localtime is not found (fix for rh-489586) +* icedtea-timezone-default-permission.patch: Partial fix for PR381 + (in combination with icedtea-use-system-tzdata.patch) security check + debug printing overflow. Also in openjdk7 b22, but apparently lost + since b22 was from "before hg". * icedtea-dnd-filelists.patch: Fix drag and drop behaviour when dragging a file list between JVMs (S5079469). Backported from OpenJDK. * icedtea-signed-types-hot6.patch: Make use of unsigned/signed types explicit. * openjdk/6648816.patch: Backport of regression (NPE) fix in AccessControlContext
--- a/Makefile.am Thu Aug 20 20:42:36 2009 +0100 +++ b/Makefile.am Mon Aug 31 07:45:07 2009 +0200 @@ -522,6 +522,7 @@ patches/icedtea-tools.patch \ patches/icedtea-demos.patch \ patches/icedtea-timezone.patch \ + patches/icedtea-timezone-default-permission.patch \ patches/icedtea-use-system-tzdata.patch \ patches/icedtea-headers.patch \ patches/hotspot/$(HSBUILD)/icedtea-headers.patch \
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/overlays/openjdk/jdk/test/java/util/TimeZone/TimeZoneDatePermissionCheck.java Mon Aug 31 07:45:07 2009 +0200 @@ -0,0 +1,40 @@ +/* Testcase for PR381 Stackoverflow error with security manager, signed jars + and -Djava.security.debug set. + +Copyright (c) 2009, Red Hat Inc. + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +IcedTea is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. +*/ + + +import java.util.Date; + +/** + * Test class. Create a test keystore and dummy cert, create a jar file to + * sign with the test class in it. Sign it run it with the security manager + * on, plus accesscontroller debugging, will go into infinite recursion + * trying to get enough permissions for printing Date of failing + * certificate, unless fix is applied. + */ +public class TimeZoneDatePermissionCheck +{ + public static void main(String[] args) + { + System.out.println(new Date()); + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/overlays/openjdk/jdk/test/java/util/TimeZone/TimeZoneDatePermissionCheck.sh Mon Aug 31 07:45:07 2009 +0200 @@ -0,0 +1,61 @@ +# Testcase for PR381 Stackoverflow error with security manager, signed jars +# and -Djava.security.debug set. +# +# Copyright (c) 2009, Red Hat Inc. +# +# This file is part of IcedTea. +# +# IcedTea is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# IcedTea is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with IcedTea; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301 USA. + +# @test +# @bug 0000381 +# @summary Stackoverflow error with security manager, signed jars and debug. +# @build TimeZoneDatePermissionCheck +# @run shell TimeZoneDatePermissionCheck.sh + +# Set default if not run under jtreg from test dir itself +if [ "${TESTCLASSES}" = "" ] ; then + TESTCLASSES="." +fi +if [ "${TESTJAVA}" = "" ] ; then + TESTJAVA=/usr +fi + +# create a test keystore and dummy cert +rm -f ${TESTCLASSES}/timezonedatetest.store +${TESTJAVA}/bin/keytool -genkeypair -alias testcert \ + -keystore ${TESTCLASSES}/timezonedatetest.store \ + -storepass testpass -validity 360 \ + -dname "cn=Mark Wildebeest, ou=FreeSoft, o=Red Hat, c=NL" \ + -keypass testpass + +# create a jar file to sign with the test class in it. +rm -f ${TESTCLASSES}/timezonedatetest.jar +${TESTJAVA}/bin/jar cf \ + ${TESTCLASSES}/timezonedatetest.jar \ + -C ${TESTCLASSES} TimeZoneDatePermissionCheck.class + +# sign it +${TESTJAVA}/bin/jarsigner \ + -keystore ${TESTCLASSES}/timezonedatetest.store \ + -storepass testpass ${TESTCLASSES}/timezonedatetest.jar testcert + +# run it with the security manager on, plus accesscontroller debugging +# will go into infinite recursion trying to get enough permissions for +# printing Date of failing certificate unless fix is applied. +${TESTJAVA}/bin/java -Djava.security.manager \ + -Djava.security.debug=access,failure,policy \ + -cp ${TESTCLASSES}/timezonedatetest.jar TimeZoneDatePermissionCheck
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/icedtea-timezone-default-permission.patch Mon Aug 31 07:45:07 2009 +0200 @@ -0,0 +1,23 @@ +--- openjdk7/jdk/src/share/classes/java/util/TimeZone.java 2009-08-04 18:54:13.026104895 +0200 ++++ openjdk/jdk/src/share/classes/java/util/TimeZone.java 2009-08-04 18:53:09.035985858 +0200 +@@ -602,11 +602,7 @@ + } + }); + +- if (hasPermission()) { +- defaultTimeZone = tz; +- } else { +- defaultZoneTL.set(tz); +- } ++ defaultTimeZone = tz; + return tz; + } + +@@ -637,6 +633,7 @@ + if (hasPermission()) { + synchronized (TimeZone.class) { + defaultTimeZone = zone; ++ defaultZoneTL.set(null); + } + } else { + defaultZoneTL.set(zone);
--- a/patches/icedtea-use-system-tzdata.patch Thu Aug 20 20:42:36 2009 +0100 +++ b/patches/icedtea-use-system-tzdata.patch Mon Aug 31 07:45:07 2009 +0200 @@ -1,14 +1,34 @@ ---- ../openjdkb23/openjdk/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java 2007-10-30 04:38:28.000000000 -0400 -+++ openjdk/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java 2007-11-13 13:16:52.000000000 -0500 -@@ -28,6 +28,7 @@ - import java.io.File; - import java.io.FileInputStream; - import java.io.FileNotFoundException; -+import java.security.AccessControlException; - import java.io.IOException; - import java.lang.ref.SoftReference; - import java.security.AccessController; -@@ -1021,11 +1022,29 @@ +--- openjdk6.orig/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java Sat Mar 15 13:43:05 2008 -0400 ++++ openjdk/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java Fri Aug 21 11:34:56 2009 +0200 +@@ -465,6 +465,27 @@ + */ + public static final byte TAG_TZDataVersion = 68; + ++ // Cached location of the TZDATA files ++ private static final String JAVAZI_DIR = setup_JAVAZI_DIR(); ++ ++ private static String setup_JAVAZI_DIR() { ++ try { ++ final String dir = AccessController.doPrivileged ++ (new sun.security.action.GetPropertyAction("user.zoneinfo.dir")); ++ return AccessController.doPrivileged ++ (new PrivilegedExceptionAction<String>() { ++ public String run() { ++ File f = new File(dir, "ZoneInfoMappings"); ++ if (f.exists()) ++ return dir; ++ return null; ++ } ++ }); ++ } catch (PrivilegedActionException e) { ++ return null; ++ } ++ } ++ + /** + * Excluded zones item tag. (Added in Mustang) + */ +@@ -1021,11 +1042,17 @@ byte[] buffer = null; try { @@ -17,29 +37,17 @@ - final String fname = homeDir + File.separator + "lib" + File.separator - + "zi" + File.separator + fileName; - buffer = (byte[]) AccessController.doPrivileged(new PrivilegedExceptionAction() { -+ String zi_dir = (String) AccessController.doPrivileged(new sun.security.action.GetPropertyAction("user.zoneinfo.dir")); -+ File dir = null; -+ if (zi_dir != null) -+ dir = new File(zi_dir); + -+ // Some minimal sanity checking -+ if (dir != null) { -+ try { -+ File f = new File(dir, "ZoneInfoMappings"); -+ if (!f.exists()) -+ dir = null; -+ } catch (AccessControlException ace) { -+ dir = null; -+ } -+ } ++ String zi_dir = JAVAZI_DIR; ++ if (zi_dir == null) { ++ // Fall back to JDK-supplied tzdata ++ String homeDir = (String) AccessController.doPrivileged(new sun.security.action.GetPropertyAction("java.home")); ++ zi_dir = homeDir + File.separator + "lib" + File.separator ++ + "zi"; ++ } + -+ if (dir == null) { -+ String homeDir = (String) AccessController.doPrivileged(new sun.security.action.GetPropertyAction("java.home")); -+ zi_dir = homeDir + File.separator + "lib" + File.separator -+ + "zi"; -+ } -+ final String fname = zi_dir + File.separator + fileName; -+ buffer = (byte[]) AccessController.doPrivileged(new PrivilegedExceptionAction() { ++ final String fname = zi_dir + File.separator + fileName; ++ buffer = (byte[]) AccessController.doPrivileged(new PrivilegedExceptionAction() { public Object run() throws IOException { File file = new File(fname); if (!file.canRead()) {