--- a/src/hotspot/os/aix/attachListener_aix.cpp Thu May 31 15:37:31 2018 -0700
+++ b/src/hotspot/os/aix/attachListener_aix.cpp Thu May 31 17:38:42 2018 -0700
@@ -386,11 +386,10 @@
::close(s);
continue;
}
- uid_t euid = geteuid();
- gid_t egid = getegid();
- if (cred_info.euid != euid || cred_info.egid != egid) {
- log_debug(attach)("euid/egid check failed (%d/%d vs %d/%d)", cred_info.euid, cred_info.egid, euid, egid);
+ if (!os::Posix::matches_effective_uid_and_gid_or_root(cred_info.euid, cred_info.egid)) {
+ log_debug(attach)("euid/egid check failed (%d/%d vs %d/%d)",
+ cred_info.euid, cred_info.egid, geteuid(), getegid());
::close(s);
continue;
}
@@ -548,8 +547,8 @@
}
if (ret == 0) {
// simple check to avoid starting the attach mechanism when
- // a bogus user creates the file
- if (st.st_uid == geteuid()) {
+ // a bogus non-root user creates the file
+ if (os::Posix::matches_effective_uid_or_root(st.st_uid)) {
init();
log_trace(attach)("Attach triggered by %s", fn);
return true;
--- a/src/hotspot/os/bsd/attachListener_bsd.cpp Thu May 31 15:37:31 2018 -0700
+++ b/src/hotspot/os/bsd/attachListener_bsd.cpp Thu May 31 17:38:42 2018 -0700
@@ -357,11 +357,10 @@
::close(s);
continue;
}
- uid_t euid = geteuid();
- gid_t egid = getegid();
- if (puid != euid || pgid != egid) {
- log_debug(attach)("euid/egid check failed (%d/%d vs %d/%d)", puid, pgid, euid, egid);
+ if (!os::Posix::matches_effective_uid_and_gid_or_root(puid, pgid)) {
+ log_debug(attach)("euid/egid check failed (%d/%d vs %d/%d)", puid, pgid,
+ geteuid(), getegid());
::close(s);
continue;
}
@@ -513,8 +512,8 @@
}
if (ret == 0) {
// simple check to avoid starting the attach mechanism when
- // a bogus user creates the file
- if (st.st_uid == geteuid()) {
+ // a bogus non-root user creates the file
+ if (os::Posix::matches_effective_uid_or_root(st.st_uid)) {
init();
log_trace(attach)("Attach triggered by %s", fn);
return true;
--- a/src/hotspot/os/linux/attachListener_linux.cpp Thu May 31 15:37:31 2018 -0700
+++ b/src/hotspot/os/linux/attachListener_linux.cpp Thu May 31 17:38:42 2018 -0700
@@ -357,11 +357,10 @@
::close(s);
continue;
}
- uid_t euid = geteuid();
- gid_t egid = getegid();
- if (cred_info.uid != euid || cred_info.gid != egid) {
- log_debug(attach)("euid/egid check failed (%d/%d vs %d/%d)", cred_info.uid, cred_info.gid, euid, egid);
+ if (!os::Posix::matches_effective_uid_and_gid_or_root(cred_info.uid, cred_info.gid)) {
+ log_debug(attach)("euid/egid check failed (%d/%d vs %d/%d)",
+ cred_info.uid, cred_info.gid, geteuid(), getegid());
::close(s);
continue;
}
@@ -518,8 +517,8 @@
}
if (ret == 0) {
// simple check to avoid starting the attach mechanism when
- // a bogus user creates the file
- if (st.st_uid == geteuid()) {
+ // a bogus non-root user creates the file
+ if (os::Posix::matches_effective_uid_or_root(st.st_uid)) {
init();
log_trace(attach)("Attach triggered by %s", fn);
return true;
--- a/src/hotspot/os/posix/os_posix.cpp Thu May 31 15:37:31 2018 -0700
+++ b/src/hotspot/os/posix/os_posix.cpp Thu May 31 17:38:42 2018 -0700
@@ -51,6 +51,8 @@
#endif
#define IS_VALID_PID(p) (p > 0 && p < MAX_PID)
+#define ROOT_UID 0
+
#ifndef MAP_ANONYMOUS
#define MAP_ANONYMOUS MAP_ANON
#endif
@@ -1454,6 +1456,18 @@
return stack_size;
}
+bool os::Posix::is_root(uid_t uid){
+ return ROOT_UID == uid;
+}
+
+bool os::Posix::matches_effective_uid_or_root(uid_t uid) {
+ return is_root(uid) || geteuid() == uid;
+}
+
+bool os::Posix::matches_effective_uid_and_gid_or_root(uid_t uid, gid_t gid) {
+ return is_root(uid) || (geteuid() == uid && getegid() == gid);
+}
+
Thread* os::ThreadCrashProtection::_protected_thread = NULL;
os::ThreadCrashProtection* os::ThreadCrashProtection::_crash_protection = NULL;
volatile intptr_t os::ThreadCrashProtection::_crash_mux = 0;
--- a/src/hotspot/os/posix/os_posix.hpp Thu May 31 15:37:31 2018 -0700
+++ b/src/hotspot/os/posix/os_posix.hpp Thu May 31 17:38:42 2018 -0700
@@ -106,6 +106,16 @@
// On error, it will return NULL and set errno. The content of 'outbuf' is undefined.
// On truncation error ('outbuf' too small), it will return NULL and set errno to ENAMETOOLONG.
static char* realpath(const char* filename, char* outbuf, size_t outbuflen);
+
+ // Returns true if given uid is root.
+ static bool is_root(uid_t uid);
+
+ // Returns true if given uid is effective or root uid.
+ static bool matches_effective_uid_or_root(uid_t uid);
+
+ // Returns true if either given uid is effective uid and given gid is
+ // effective gid, or if given uid is root.
+ static bool matches_effective_uid_and_gid_or_root(uid_t uid, gid_t gid);
};
// On POSIX platforms the signal handler is global so we just do the write.
--- a/src/hotspot/os/solaris/attachListener_solaris.cpp Thu May 31 15:37:31 2018 -0700
+++ b/src/hotspot/os/solaris/attachListener_solaris.cpp Thu May 31 17:38:42 2018 -0700
@@ -213,16 +213,12 @@
return -1; // unable to get them, deny
}
- // get our euid/eguid (probably could cache these)
- uid_t euid = geteuid();
- gid_t egid = getegid();
-
// get euid/egid from ucred_free
uid_t ucred_euid = ucred_geteuid(cred_info);
gid_t ucred_egid = ucred_getegid(cred_info);
// check that the effective uid/gid matches
- if (ucred_euid == euid && ucred_egid == egid) {
+ if (os::Posix::matches_effective_uid_and_gid_or_root(ucred_euid, ucred_egid)) {
ret = 0; // allow
}
@@ -664,8 +660,8 @@
}
if (ret == 0) {
// simple check to avoid starting the attach mechanism when
- // a bogus user creates the file
- if (st.st_uid == geteuid()) {
+ // a bogus non-root user creates the file
+ if (os::Posix::matches_effective_uid_or_root(st.st_uid)) {
init();
log_trace(attach)("Attach triggered by %s", fn);
return true;
--- a/src/hotspot/share/utilities/stringUtils.cpp Thu May 31 15:37:31 2018 -0700
+++ b/src/hotspot/share/utilities/stringUtils.cpp Thu May 31 17:38:42 2018 -0700
@@ -23,6 +23,7 @@
*/
#include "precompiled.hpp"
+#include "utilities/debug.hpp"
#include "utilities/stringUtils.hpp"
int StringUtils::replace_no_expand(char* string, const char* from, const char* to) {
@@ -43,9 +44,16 @@
}
double StringUtils::similarity(const char* str1, size_t len1, const char* str2, size_t len2) {
- size_t total = len1 + len2;
+ assert(str1 != NULL && str2 != NULL, "sanity");
+ // filter out zero-length strings else we will underflow on len-1 below
+ if (len1 == 0 || len2 == 0) {
+ return 0.0;
+ }
+
+ size_t total = len1 + len2;
size_t hit = 0;
+
for (size_t i = 0; i < len1 - 1; i++) {
for (size_t j = 0; j < len2 - 1; j++) {
if ((str1[i] == str2[j]) && (str1[i+1] == str2[j+1])) {
Binary file src/java.base/share/lib/security/cacerts has changed
--- a/src/jdk.attach/aix/native/libattach/VirtualMachineImpl.c Thu May 31 15:37:31 2018 -0700
+++ b/src/jdk.attach/aix/native/libattach/VirtualMachineImpl.c Thu May 31 17:38:42 2018 -0700
@@ -46,6 +46,8 @@
} while(0)
+#define ROOT_UID 0
+
/*
* Class: sun_tools_attach_VirtualMachineImpl
* Method: socket
@@ -153,11 +155,11 @@
if (res == 0) {
char msg[100];
jboolean isError = JNI_FALSE;
- if (sb.st_uid != uid) {
+ if (sb.st_uid != uid && uid != ROOT_UID) {
snprintf(msg, sizeof(msg),
"file should be owned by the current user (which is %d) but is owned by %d", uid, sb.st_uid);
isError = JNI_TRUE;
- } else if (sb.st_gid != gid) {
+ } else if (sb.st_gid != gid && uid != ROOT_UID) {
snprintf(msg, sizeof(msg),
"file's group should be the current group (which is %d) but the group is %d", gid, sb.st_gid);
isError = JNI_TRUE;
--- a/src/jdk.attach/linux/native/libattach/VirtualMachineImpl.c Thu May 31 15:37:31 2018 -0700
+++ b/src/jdk.attach/linux/native/libattach/VirtualMachineImpl.c Thu May 31 17:38:42 2018 -0700
@@ -44,6 +44,8 @@
} while((_result == -1) && (errno == EINTR)); \
} while(0)
+#define ROOT_UID 0
+
/*
* Declare library specific JNI_Onload entry if static build
*/
@@ -156,11 +158,11 @@
if (res == 0) {
char msg[100];
jboolean isError = JNI_FALSE;
- if (sb.st_uid != uid) {
+ if (sb.st_uid != uid && uid != ROOT_UID) {
snprintf(msg, sizeof(msg),
"file should be owned by the current user (which is %d) but is owned by %d", uid, sb.st_uid);
isError = JNI_TRUE;
- } else if (sb.st_gid != gid) {
+ } else if (sb.st_gid != gid && uid != ROOT_UID) {
snprintf(msg, sizeof(msg),
"file's group should be the current group (which is %d) but the group is %d", gid, sb.st_gid);
isError = JNI_TRUE;
--- a/src/jdk.attach/macosx/native/libattach/VirtualMachineImpl.c Thu May 31 15:37:31 2018 -0700
+++ b/src/jdk.attach/macosx/native/libattach/VirtualMachineImpl.c Thu May 31 17:38:42 2018 -0700
@@ -46,6 +46,8 @@
} while((_result == -1) && (errno == EINTR)); \
} while(0)
+#define ROOT_UID 0
+
/*
* Declare library specific JNI_Onload entry if static build
*/
@@ -158,11 +160,11 @@
if (res == 0) {
char msg[100];
jboolean isError = JNI_FALSE;
- if (sb.st_uid != uid) {
+ if (sb.st_uid != uid && uid != ROOT_UID) {
snprintf(msg, sizeof(msg),
"file should be owned by the current user (which is %d) but is owned by %d", uid, sb.st_uid);
isError = JNI_TRUE;
- } else if (sb.st_gid != gid) {
+ } else if (sb.st_gid != gid && uid != ROOT_UID) {
snprintf(msg, sizeof(msg),
"file's group should be the current group (which is %d) but the group is %d", gid, sb.st_gid);
isError = JNI_TRUE;
--- a/src/jdk.attach/solaris/native/libattach/VirtualMachineImpl.c Thu May 31 15:37:31 2018 -0700
+++ b/src/jdk.attach/solaris/native/libattach/VirtualMachineImpl.c Thu May 31 17:38:42 2018 -0700
@@ -38,6 +38,8 @@
#include "sun_tools_attach_VirtualMachineImpl.h"
+#define ROOT_UID 0
+
#define RESTARTABLE(_cmd, _result) do { \
do { \
_result = _cmd; \
@@ -122,11 +124,11 @@
if (res == 0) {
char msg[100];
jboolean isError = JNI_FALSE;
- if (sb.st_uid != uid) {
+ if (sb.st_uid != uid && uid != ROOT_UID) {
snprintf(msg, sizeof(msg),
"file should be owned by the current user (which is %d) but is owned by %d", uid, sb.st_uid);
isError = JNI_TRUE;
- } else if (sb.st_gid != gid) {
+ } else if (sb.st_gid != gid && uid != ROOT_UID) {
snprintf(msg, sizeof(msg),
"file's group should be the current group (which is %d) but the group is %d", gid, sb.st_gid);
isError = JNI_TRUE;
--- a/test/hotspot/gtest/logging/test_logConfiguration.cpp Thu May 31 15:37:31 2018 -0700
+++ b/test/hotspot/gtest/logging/test_logConfiguration.cpp Thu May 31 17:38:42 2018 -0700
@@ -239,6 +239,7 @@
EXPECT_FALSE(LogConfiguration::parse_command_line_arguments("all=invalid_level"));
EXPECT_FALSE(LogConfiguration::parse_command_line_arguments("what=invalid"));
EXPECT_FALSE(LogConfiguration::parse_command_line_arguments("all::invalid_decorator"));
+ EXPECT_FALSE(LogConfiguration::parse_command_line_arguments("*"));
}
// Test empty configuration options
--- a/test/hotspot/jtreg/runtime/CommandLine/UnrecognizedVMOption.java Thu May 31 15:37:31 2018 -0700
+++ b/test/hotspot/jtreg/runtime/CommandLine/UnrecognizedVMOption.java Thu May 31 17:38:42 2018 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018 Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
/*
* @test
- * @bug 8006298
+ * @bug 8006298 8204055
* @summary Using an unrecognized VM option should print the name of the option
* @library /test/lib
* @modules java.base/jdk.internal.misc
@@ -35,11 +35,19 @@
public class UnrecognizedVMOption {
public static void main(String[] args) throws Exception {
- ProcessBuilder pb = ProcessTools.createJavaProcessBuilder(
- "-XX:bogus_option", "-version");
+ // Note: -XX by itself is an unrecognized launcher option, the :
+ // must be present for it to be passed through as a VM option.
+ String[] badOptions = {
+ "", // empty option
+ "bogus_option",
+ };
+ for (String option : badOptions) {
+ ProcessBuilder pb = ProcessTools.createJavaProcessBuilder(
+ "-XX:" + option, "-version");
- OutputAnalyzer output = new OutputAnalyzer(pb.start());
- output.shouldContain("Unrecognized VM option 'bogus_option'");
- output.shouldHaveExitValue(1);
+ OutputAnalyzer output = new OutputAnalyzer(pb.start());
+ output.shouldContain("Unrecognized VM option '" + option + "'");
+ output.shouldHaveExitValue(1);
+ }
}
}
--- a/test/jdk/lib/security/cacerts/VerifyCACerts.java Thu May 31 15:37:31 2018 -0700
+++ b/test/jdk/lib/security/cacerts/VerifyCACerts.java Thu May 31 17:38:42 2018 -0700
@@ -24,7 +24,7 @@
/**
* @test
- * @bug 8189131 8198240 8191844 8189949
+ * @bug 8189131 8198240 8191844 8189949 8191031
* @requires java.runtime.name ~= "OpenJDK.*"
* @summary Check root CA entries in cacerts file
*/
@@ -42,7 +42,7 @@
+ File.separator + "security" + File.separator + "cacerts";
// The numbers of certs now.
- private static final int COUNT = 78;
+ private static final int COUNT = 70;
// map of cert alias to SHA-256 fingerprint
private static final Map<String, String> FINGERPRINT_MAP
@@ -106,12 +106,6 @@
"7E:37:CB:8B:4C:47:09:0C:AB:36:55:1B:A6:F4:5D:B8:40:68:0F:BA:16:6A:95:2D:B1:00:71:7F:43:05:3F:C2");
put("digicerthighassuranceevrootca [jdk]",
"74:31:E5:F4:C3:C1:CE:46:90:77:4F:0B:61:E0:54:40:88:3B:A9:A0:1E:D0:0B:A6:AB:D7:80:6E:D3:B1:18:CF");
- put("equifaxsecureca [jdk]",
- "08:29:7A:40:47:DB:A2:36:80:C7:31:DB:6E:31:76:53:CA:78:48:E1:BE:BD:3A:0B:01:79:A7:07:F9:2C:F1:78");
- put("equifaxsecureebusinessca1 [jdk]",
- "2E:3A:2B:B5:11:25:05:83:6C:A8:96:8B:E2:CB:37:27:CE:9B:56:84:5C:6E:E9:8E:91:85:10:4A:FB:9A:F5:96");
- put("equifaxsecureglobalebusinessca1 [jdk]",
- "86:AB:5A:65:71:D3:32:9A:BC:D2:E4:E6:37:66:8B:A8:9C:73:1E:C2:93:B6:CB:A6:0F:71:63:40:A0:91:CE:AE");
put("geotrustglobalca [jdk]",
"FF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA:DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A");
put("geotrustprimaryca [jdk]",
@@ -134,16 +128,6 @@
"3F:9F:27:D5:83:20:4B:9E:09:C8:A3:D2:06:6C:4B:57:D3:A2:47:9C:36:93:65:08:80:50:56:98:10:5D:BC:E9");
put("verisigntsaca [jdk]",
"CB:6B:05:D9:E8:E5:7C:D8:82:B1:0B:4D:B7:0D:E4:BB:1D:E4:2B:A4:8A:7B:D0:31:8B:63:5B:F6:E7:78:1A:9D");
- put("verisignclass1ca [jdk]",
- "51:84:7C:8C:BD:2E:9A:72:C9:1E:29:2D:2A:E2:47:D7:DE:1E:3F:D2:70:54:7A:20:EF:7D:61:0F:38:B8:84:2C");
- put("verisignclass1g2ca [jdk]",
- "34:1D:E9:8B:13:92:AB:F7:F4:AB:90:A9:60:CF:25:D4:BD:6E:C6:5B:9A:51:CE:6E:D0:67:D0:0E:C7:CE:9B:7F");
- put("verisignclass1g3ca [jdk]",
- "CB:B5:AF:18:5E:94:2A:24:02:F9:EA:CB:C0:ED:5B:B8:76:EE:A3:C1:22:36:23:D0:04:47:E4:F3:BA:55:4B:65");
- put("verisignclass2g2ca [jdk]",
- "3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F:D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1");
- put("verisignclass2g3ca [jdk]",
- "92:A9:D9:83:3F:E1:94:4D:B3:66:E8:BF:AE:7A:95:B6:48:0C:2D:6C:6C:2A:1B:E6:5D:42:36:B6:08:FC:A1:BB");
put("verisignclass3ca [jdk]",
"A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09:CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05");
put("verisignclass3g2ca [jdk]",
@@ -210,8 +194,7 @@
// Exception list to 90 days expiry policy
private static final HashSet<String> EXPIRY_EXC_ENTRIES
= new HashSet<String>(Arrays.asList(
- "gtecybertrustglobalca [jdk]",
- "equifaxsecureca [jdk]"
+ "gtecybertrustglobalca [jdk]"
));
// Ninety days in milliseconds