RFR(S): 8038233 : Fix unsafe strcpy in Java_sun_tools_attach_{Aix, Bsd, Linux}VirtualMachine_connect()

Alan Bateman Alan.Bateman at oracle.com
Thu Mar 27 18:31:09 UTC 2014

On 27/03/2014 18:08, Volker Simonis wrote:
> Hi,
> a security audit for the PPC64/AIX port revealed an unsecure useage of
> 'strcpy' in Java_sun_tools_attach_AixVirtualMachine_connect(). Because
> the same coding is also used in the Linux and BSD implementations, the
> following change fixes them all together:
> http://cr.openjdk.java.net/~simonis/webrevs/8038233/
> https://bugs.openjdk.java.net/browse/JDK-8038233
> Compiled and tested (with the com/sun/jdi, com/sun/tools/attach,
> com/sun/management and sun/management JTreg tests) on Linux, MacOS X
> and AIX.
> Please notice that this fix is also intended for backporting tu 8u.
As we now have 3 implementations using socket pairs then there might be 
an opportunity to consolidate the implementations, not for this patch of 

Your changes looks okay and it's good to memset the sockaddr_un 
structure. As regards the issue is a concern or not then it's important 
to note thaht the Attach API is in tools.jar, it's not in a JRE build. 
Also an attach requires a Permission check if running with a security 
manager and I likely vert rare for tools to do this. Also to cause a 
problem then it would require the temporary directory to be unusually long.


More information about the core-libs-dev mailing list