From a207869a2da927ce1c9744067507a58c27aaf31a Mon Sep 17 00:00:00 2001 From: SendaoYan Date: Tue, 15 Jul 2025 11:35:29 +0000 Subject: [PATCH 1/4] 8362208: [8u] Buffer overflow in g1GCPhaseTimes.cpp::LineBuffer::_buffer --- hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp b/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp index 75a9a5f9529..e7903322fd6 100644 --- a/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp +++ b/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -34,13 +34,14 @@ class LineBuffer: public StackObj { private: - static const int BUFFER_LEN = 1024; + static const int BUFFER_LEN = 1024*3; static const int INDENT_CHARS = 3; char _buffer[BUFFER_LEN]; int _indent_level; int _cur; void vappend(const char* format, va_list ap) ATTRIBUTE_PRINTF(2, 0) { + guarantee(_cur < BUFFER_LEN, "buffer overflow in LineBuffer"); int res = os::vsnprintf(&_buffer[_cur], BUFFER_LEN - _cur, format, ap); if (res > BUFFER_LEN) { DEBUG_ONLY(warning("buffer too small in LineBuffer");) From a132e0c0ca4f40e2ea073dfbf8b08d3e83ba8747 Mon Sep 17 00:00:00 2001 From: SendaoYan Date: Thu, 17 Jul 2025 14:29:43 +0800 Subject: [PATCH 2/4] Remove guarantee and add debug only warning, then return early when "previous LineBuffer overflow, request ignored" --- hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp b/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp index e7903322fd6..f38026df8fd 100644 --- a/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp +++ b/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp @@ -41,7 +41,10 @@ class LineBuffer: public StackObj { int _cur; void vappend(const char* format, va_list ap) ATTRIBUTE_PRINTF(2, 0) { - guarantee(_cur < BUFFER_LEN, "buffer overflow in LineBuffer"); + if (_cur < BUFFER_LEN) { + DEBUG_ONLY(warning("previous LineBuffer overflow, request ignored");) + return; + } int res = os::vsnprintf(&_buffer[_cur], BUFFER_LEN - _cur, format, ap); if (res > BUFFER_LEN) { DEBUG_ONLY(warning("buffer too small in LineBuffer");) From 55e4fe2bbf853a71935327705352580b52fc6998 Mon Sep 17 00:00:00 2001 From: SendaoYan Date: Thu, 17 Jul 2025 15:27:39 +0800 Subject: [PATCH 3/4] fix bugs --- hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp b/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp index f38026df8fd..85a6d0afaa9 100644 --- a/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp +++ b/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp @@ -41,7 +41,7 @@ class LineBuffer: public StackObj { int _cur; void vappend(const char* format, va_list ap) ATTRIBUTE_PRINTF(2, 0) { - if (_cur < BUFFER_LEN) { + if (_cur > BUFFER_LEN) { DEBUG_ONLY(warning("previous LineBuffer overflow, request ignored");) return; } From 811ce78ac758c354471498a5a0554b2f1276224c Mon Sep 17 00:00:00 2001 From: SendaoYan Date: Fri, 18 Jul 2025 14:04:34 +0800 Subject: [PATCH 4/4] Should be _cur >= BUFFER_LEN --- hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp b/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp index 85a6d0afaa9..af2026e1672 100644 --- a/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp +++ b/hotspot/src/share/vm/gc_implementation/g1/g1GCPhaseTimes.cpp @@ -41,7 +41,7 @@ class LineBuffer: public StackObj { int _cur; void vappend(const char* format, va_list ap) ATTRIBUTE_PRINTF(2, 0) { - if (_cur > BUFFER_LEN) { + if (_cur >= BUFFER_LEN) { DEBUG_ONLY(warning("previous LineBuffer overflow, request ignored");) return; }