Examining native bugs fixed by Java 1.6.26

Yesterday Oracle has released a Critical Patch Update for Java SE. It fixes a few bugs that lead to code execution. I’ve heard rumours about exploit wednesday, which happens after patch tuesday, when hackers start to diff the fixpacks, to discover/examine the fixed vulnerabilites. I was curious, what were the vulnerabilites fixed by this update.

As Sami Koivu pointed out on his blog, most of the fixes are for
vulnerabilites in native code. There are pretty neat binary diffing tools on Windows, but I didn’t found them for Linux. (If you know tools like that, please inform me. I’ve seen somewhere that radare2 has some pretty neat features, but I didn’t had time to check it so far. It’s on my todo list of course.)

I’ve started a project which suits my needs. It’s written in Java, and it is a bit bloated, because it parses a whole DOM from an objdump file, so it has a big memory footprint. Basically I’ve created it, to play around binary diffing. The algorithm it uses currently is very dumb, only compares basic blocks by instruction count (but it is working surprisingly well), and it doesn’t work with stripped binaries at the moment. I have plans to update the algorithm to be more clever, and the tool to be more effective.

Lets see the overview of the changes:

libawt.so:

New entry [31eb0,checkOverflow]
New entry [312f0,Transform_SafeHelper]
Differences in entry: Java_sun_java2d_loops_TransformHelper_Transform
Differences in entry: calculateEdges

libcmm.so:

Differences in entry: SpRespCurveToPublic
Differences in entry: SpMultiLanguageToPublic
Differences in entry: SpProfileSeqDescToPublic
Differences in entry: SpMultiLangFromPublic
Differences in entry: fut_read_mab_data
Differences in entry: allocBufferHandlePrv
Differences in entry: futFromMabFutTbls
Differences in entry: SpProfileLoadTag
Differences in entry: writeClutData
Differences in entry: SpMultiLangTagFromPublic
Differences in entry: SpNamedColor2GetRecord
Differences in entry: SpDeviceDescFromPublic
Differences in entry: fut_readMabFutTbls
Differences in entry: SpFreeMultiLang
Differences in entry: SpRespToPublic
Differences in entry: MultiLangToMLString
Differences in entry: SpColorTableToPublic
Differences in entry: readMabCurveData
Differences in entry: SpTagToPublic
Differences in entry: SpTagGetById
Differences in entry: SpUcrbgToPublic
Differences in entry: SpMultiLangSize
Differences in entry: SpNamedColors2ToPublic
Differences in entry: SpGetResp16

libfontmanager.so:

Differences in entry: Java_sun_font_SunLayoutEngine_nativeLayout

libj2pkcs11.so:

Differences in entry: Java_sun_security_pkcs11_Secmod_nssGetModuleList

libjpeg.so:

Differences in entry: Java_com_sun_imageio_plugins_jpeg_JPEGImageReader_readImage

libjsound.so:

New entry [206d0,VerifyIma4Data]
New entry [20740,VerifyAlawMlaw4Data]
New entry [20610,VerifyPCMData]
Removed entry [205c0,PV_HasEnough16BitSamples]
Differences in entry: XGetSamplePtrFromSnd
Differences in entry: VerifyBufferSize

libjvm.so:

New entry [45b7b0,JVM_LoadSystemLibrary]
New entry [5dd6c0,os::system_dll_load(char const*, char*, int)]
New entry [45b450,LoadLibraryImpl(char const*, JavaThread*, unsigned char)]
New entry [161060,Arguments::set_shared_spaces_flags()]
Removed entry [15b4b0,Arguments::check_compressed_oops_compat()]
Differences in entry: GenerateOopMap::init_basic_blocks()
Differences in entry: Arguments::parse_uintx(char const*, unsigned int*, unsigned int)
Differences in entry: Arguments::parse(JavaVMInitArgs const*)
Differences in entry: Arguments::check_vm_args_consistency()
Differences in entry: JVM_LoadLibrary
Differences in entry: Arguments::parse_each_vm_init_arg(JavaVMInitArgs const*, SysClassPath*, bool*, FlagValueOrigin)
Differences in entry: __static_initialization_and_destruction_0(int, int)#5
Differences in entry: Arguments::parse_vm_init_args(JavaVMInitArgs const*)
Differences in entry: os::print_dll_info(outputStream*)

If you want to check out the tool, you can reach it here.

Advertisements
This entry was posted in Security and tagged , , , , . Bookmark the permalink.

One Response to Examining native bugs fixed by Java 1.6.26

  1. Thanks for giving the information.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s