Why does this JNI call segfault on Windows only? - c

I have some C code that adds strings to a Java array using JNI. The call to NewStringUTF segfaults -- but only on Windows 7 32-bit (in a VirtualBox VM, which is all I have to test on). In some cases, it makes it to SetObjectArrayElement call and then segfaults.
void launch_jvm_in_proc(mrb_state *mrb, CreateJavaVM_t *createJavaVM, const char *java_main_class, const char **java_opts, int java_optsc, const char **v, int prgm_optsc) {
int i;
JavaVM *jvm;
JNIEnv *env;
//...
jclass j_class_string = (*env)->FindClass(env, "java/lang/String");
jstring j_string_arg = (*env)->NewStringUTF(env, "");
jobjectArray main_args = (*env)->NewObjectArray(env, prgm_optsc, j_class_string, j_string_arg);
for (i = 0; i < prgm_optsc; i++) {
j_string_arg = (*env)->NewStringUTF(env, (char *) prgm_opts[i]);
if (!j_string_arg) {
mrb_raise(mrb, E_ARGUMENT_ERROR, "NewStringUTF() failed");
}
(*env)->SetObjectArrayElement(env, main_args, i, j_string_arg);
}
//...
}
There are also cases where the call is made to SetObjectArrayElement successfully, and then it consistently fails on the third iteration of the loop (when i=2). This happens when I consume this project a library in mjruby. I can't explain that either.
The complete project is on Github in mruby-jvm.
Error Details:
Problem signature:
Problem Event Name: APPCRASH
Application Name: mruby-jvm.exe
Application Version: 0.0.0.0
Application Timestamp: 55eb01a5
Fault Module Name: mruby-jvm.exe
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 55eb01a5
Exception Code: c0000005
Exception Offset: 0003fff2
OS Version: 6.1.7601.2.1.0.256.4
Locale ID: 1033
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789
Is there a way to collect more information on the error?
It works perfectly on Linux and Mac.
I've included instructions on how to reproduce the problem in this Github issue.
EDIT
I should clarify that I've examined this every way I can. I've checked that the various args are not NULL. I even get condensed almost the entire program to this:
static void
jvm_wtf(const char *java_dl, const char *jli_dl) {
JavaVM *jvm;
JNIEnv *env;
JavaVMInitArgs jvm_init_args;
CreateJavaVM_t* createJavaVM = NULL;
jvm_init_args.nOptions = 0;
jvm_init_args.version = JNI_VERSION_1_4;
jvm_init_args.ignoreUnrecognized = JNI_FALSE;
#if defined(_WIN32) || defined(_WIN64)
disable_folder_virtualization(GetCurrentProcess());
HMODULE jvmdll = LoadLibrary(java_dl);
createJavaVM = (CreateJavaVM_t*) GetProcAddress(jvmdll, "JNI_CreateJavaVM");
#elif defined(__APPLE__)
// jli needs to be loaded on OSX because otherwise the OS tries to run the system Java
void *libjli = dlopen(jli_dl, RTLD_NOW + RTLD_GLOBAL);
void *libjvm = dlopen(java_dl, RTLD_NOW + RTLD_GLOBAL);
createJavaVM = (CreateJavaVM_t*) dlsym(libjvm, "JNI_CreateJavaVM");
#else
void *libjvm = dlopen(java_dl, RTLD_NOW + RTLD_GLOBAL);
createJavaVM = (CreateJavaVM_t*) dlsym(libjvm, "JNI_CreateJavaVM");
#endif
printf("Begining\n");
createJavaVM(&jvm, (void**)&env, &jvm_init_args);
jclass main_class = (*env)->FindClass(env, "Main");
jmethodID main_method = (*env)->GetStaticMethodID(env, main_class, "main", "([Ljava/lang/String;)V");
jclass j_class_string = (*env)->FindClass(env, "java/lang/String");
jstring j_string_arg = (*env)->NewStringUTF(env, "");
printf("Checking for NULL\n");
if (!createJavaVM) { printf("createJavaVM is NULL\n");}
if (!main_class) { printf("main_class is NULL\n");}
if (!main_method) { printf("main_method is NULL\n");}
if (!j_class_string) { printf("j_class_string is NULL\n");}
if (!j_string_arg) { printf("j_string_arg is NULL\n");}
printf("Right before segfault\n");
jobjectArray main_args = (*env)->NewObjectArray(env, 1, j_class_string, j_string_arg);
printf("It won't get here\n");
(*env)->SetObjectArrayElement(env, main_args, 0, (*env)->NewStringUTF(env, "1"));
(*env)->CallStaticVoidMethod(env, main_class, main_method, main_args);
}
Now I get a segfault at NewObjectArray. Some googling has led me to believe that this may result from Windows terminating the program because it thinks the memory allocation by the JVM is malicious. How would I determine if this is true?

I have no idea why, but declaring this variable before the LoadLibrary call fixes the problem.
char stupid_var_that_means_nothing_but_makes_windows_work_i_dont_even[MAX_PATH];
HMODULE jvmdll = LoadLibrary(java_dl);
Commenting that line out causes the problem to start happening again. I've also tried adjusting it (changing the value in []) to no avail. I am completely stumped. I stumbled on this by accident after trying to add some code from jruby-launcher
Here is the full implementation of my JNI code.
I hate computers.

Related

UEFI - EDK2 - Hooking SetVariable results in UNEXCEPTED_KERNEL_MODE_TRAP

I'm coding a UEFI Runtime Driver for Windows which hooks gRT->SetVariable(...)
Hooking seems to work fine but whenever I startup a user-mode application and call SetFirmwareEnvironmentVariable(...) it reults in a Bluescreen saying UNEXCEPTED_KERNEL_MODE_TRAP.
I cannot find any solution for this. Here are a few things iam aware of:
I'm raising TPL
I recalculate and set CRC32
On SetVirtualAddressMap(...) i convert all my pointer
Google didn't help at all. So i really wonder what causes this Bluescreen and how i may proceed to resolve this issue.
What am i missing? Am i doing something wrong?
Here is my code:
ExchangePointerInServiceTable((VOID**)&gST->RuntimeServices->SetVariable,
(VOID*)HookedSetVariable,
(VOID**)&gOriginalSetVariable);
static
EFI_STATUS
ExchangePointerInServiceTable(
IN OUT VOID** AddressToUpdate,
IN VOID* NewPointer,
OUT VOID** OriginalPointer OPTIONAL
)
{
EFI_STATUS status;
EFI_TPL tpl;
ASSERT(*AddressToUpdate != NewPointer);
tpl = gBS->RaiseTPL(TPL_HIGH_LEVEL);
if (OriginalPointer != NULL)
{
*OriginalPointer = *AddressToUpdate;
}
*AddressToUpdate = NewPointer;
gST->Hdr.CRC32 = 0;
status = gBS->CalculateCrc32(&gST->Hdr, gST->Hdr.HeaderSize, &gST->Hdr.CRC32);
ASSERT_EFI_ERROR(status);
gBS->RestoreTPL(tpl);
return status;
}
EFI_STATUS
EFIAPI
HookedSetVariable(
IN CHAR16* VariableName,
IN EFI_GUID* VendorGuid,
IN UINT32 Attributes,
IN UINTN DataSize,
IN VOID* Data
) {
if (StrCmp(VariableName, gStrComVarName) == 0) {
COMMUNICATION_PROTOCOL * comVarPtr = (COMMUNICATION_PROTOCOL*)Data;
switch (comVarPtr->i8OperationId) {
case COMMUNICATION_PROTOCOL_OPERATION_PING:
comVarPtr->i8OperationId = COMMUNICATION_PROTOCOL_PONG;
}
CopyMem(Data, comVarPtr, DataSize);
}
return gOriginalSetVariable(VariableName, VendorGuid, Attributes, DataSize, Data);
}
Edit: While in UEFI, other UEFI Applications correctly call the hooked SetVariable(...) without any further problems.
This may bring it down to the problem only existing after VirtualAddressSpace has been created from the OS.

Problem getting full version number for Windows 10 with GetFileVersionInfo and VerQueryValue

I want to get the full version number for Windows, just like CMD does:
I ended up with this MS doc that says:
To obtain the full version number for the operating system, call the
GetFileVersionInfo function on one of the system DLLs, such as
Kernel32.dll, then call VerQueryValue to obtain the
\StringFileInfo\\ProductVersion subblock of the file version
information.
So I tried to use those functions with this code:
#include <Windows.h>
#include <wchar.h>
#pragma comment(lib, "Mincore.lib")
int wmain(int argc, wchar_t* argv[])
{
// GetFileVersionInfoW
LPCWSTR fileName = L"C:\\Windows\\System32\\kernel32.dll";
DWORD fileInfoSize;
fileInfoSize = GetFileVersionInfoSizeW(fileName, NULL);
if (fileInfoSize == 0)
{
fwprintf(stderr, L"\nError code: %u\n", GetLastError());
return;
}
// GetFileVersionInfoW
VOID* pFileVerInfo = malloc(fileInfoSize);
if (pFileVerInfo == NULL)
{
fwprintf(stderr, L"Failed allocating!\n");
return;
}
if (!GetFileVersionInfoW(fileName, 0, fileInfoSize, pFileVerInfo))
{
fwprintf(stderr, L"Error code: %u\n", GetLastError());
free(pFileVerInfo);
return;
}
// VerQueryValueW
LPCWSTR subBlock = L"\\StringFileInfo\\\\ProductVersion";
VS_FIXEDFILEINFO * pFileInfo;
UINT pLen = 0;
if (!VerQueryValueW(pFileVerInfo, subBlock, (LPVOID*)& pFileInfo, &pLen))
{
fwprintf(stderr, L"Error code: %u\n", GetLastError());
return;
}
return 0;
}
However, the VerQueryValueW function fails with code 1813 and I have no idea why. I also have no idea how I can show the full version after calling the function.
Can you help me?
L"\\StringFileInfo\\\\ProductVersion" is not correct. There must be a Language ID in the middle. On my Windows 10 installation, a working string is: L"\\StringFileInfo\\040904B0\\ProductVersion". But maybe this would differ on other systems.
As suggested by Jonathan Potter in comments, you could find the ID by querying \\VarFileInfo\\Translation.
Simpler options to achieve the goal include:
Query VS_FIXEDFILEINFO instead of StringFileInfo
Read the OS version from the Windows API instead of querying a random DLL.

SGX Enclave: Where the actual function that does the procession goes and how it gets compiled

After reading lots of documentation i did the first simple enclave function:
enclave {
//Include files
//Import other edl files
//Data structure declarations to be used as parameters of the
//function prototypes in edl
trusted {
public function myFirstMethod([in] int *a, [in] int *b,[out] int *sum);
};
untrusted {
};
};
Then over bash I run the edger8r:
sgx_edger8r enclave.edl
Then it generated the following files as you can see over the schema:
So I assume somewhere over the enclave_t.c the only reference I found is in this function:
static sgx_status_t SGX_CDECL sgx_myFirstMethod(void* pms)
{
CHECK_REF_POINTER(pms, sizeof(ms_myFirstMethod_t));
ms_myFirstMethod_t* ms = SGX_CAST(ms_myFirstMethod_t*, pms);
sgx_status_t status = SGX_SUCCESS;
int* _tmp_a = ms->ms_a;
size_t _len_a = sizeof(*_tmp_a);
int* _in_a = NULL;
int* _tmp_b = ms->ms_b;
size_t _len_b = sizeof(*_tmp_b);
int* _in_b = NULL;
CHECK_UNIQUE_POINTER(_tmp_a, _len_a);
CHECK_UNIQUE_POINTER(_tmp_b, _len_b);
if (_tmp_a != NULL) {
_in_a = (int*)malloc(_len_a);
if (_in_a == NULL) {
status = SGX_ERROR_OUT_OF_MEMORY;
goto err;
}
memcpy(_in_a, _tmp_a, _len_a);
}
if (_tmp_b != NULL) {
_in_b = (int*)malloc(_len_b);
if (_in_b == NULL) {
status = SGX_ERROR_OUT_OF_MEMORY;
goto err;
}
memcpy(_in_b, _tmp_b, _len_b);
}
ms->ms_retval = myFirstMethod(_in_a, _in_b);
err:
if (_in_a) free(_in_a);
if (_in_b) free(_in_b);
return status;
}
Especially in
ms->ms_retval = myFirstMethod(_in_a, _in_b);
But where to put the myFirstMethod? Also how I will compile my enclave as a part of an application as a static library.
As fas as I searched is the tutorial in theese links:
https://software.intel.com/en-us/articles/intel-software-guard-extensions-developing-a-sample-enclave-application
https://software.intel.com/en-us/sgx/code-samples
All mention Visual Studio that does not natively run over GNU/Linux so are a bit hard for me to follow.
Edit 1:
Further looking I have seen on https://github.com/01org/linux-sgx that I can compile over simulation mode as the link mentions:
make SGX_MODE=SIM
And I successfully I have installed the driver and the sdk. I want to compile over SIMULATION mode and not real one.
The autogenerated outputs of edger8r are only to provide interface between the enclave and the untrusted outside world. They are not supposed to contain your implementations.
You should define myFirstMethod in another source file, say enclave.c or enclave.cpp and link it with the rest of your project. The signature of the function being exactly what you declared in your edl, except for the pointer qualifiers, which are for edger8r to consume.
It will go like this:
enclave.cpp:
void myFirstMethod(int *a, int *b, int *sum)
{
*sum = *a + *b;
}
Dimitris first check if you have compatible hardware from this list
https://github.com/ayeks/SGX-hardware
Then try to clone an run this repo
https://github.com/digawp/hello-enclave
That will help you understand how it works

jni-wrapper crashes JVM on Windows

I have written a JNI-Wrapper but used it till today only on Linux.
Now I compiled it for windows and the JVM crashes in this native methods:
If I remove the ReleaseStringUTFChars and free calls it also works on Windows, but It would be interesting why this works in linux but not in windows?(I use Windows 10-64bit). And from my experience this calls are mandatory, got some memory-leaks(on linux) at the beginning before I released them correctly
void onMessageReceived(char* topic, char* timestamp, char* id, char* value) {
JNIEnv * g_env;
int getEnvStat = (*g_vm)->GetEnv(g_vm, (void **) &g_env, JNI_VERSION_1_8);
if (getEnvStat == JNI_EDETACHED) {
if ((*g_vm)->AttachCurrentThread(g_vm, (void **) &g_env, NULL) != 0) {
puts("Failed to attach");
fflush(stdout);
}
}
if (methodHandleMessage) {
} else {
jclass clazz = (*g_env)->GetObjectClass(g_env, store_callback);
methodHandleMessage = (*g_env)->GetMethodID(g_env, clazz, "handleMessage", "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)V");
}
jstring j_topic = (*g_env)->NewStringUTF(g_env, topic);
jstring j_timestamp = (*g_env)->NewStringUTF(g_env, timestamp);
jstring j_value = (*g_env)->NewStringUTF(g_env, value);
jstring j_id = (*g_env)->NewStringUTF(g_env, id);
(*g_env)->CallVoidMethod(g_env, store_callback, methodHandleMessage, j_topic, j_timestamp, j_id, j_value);
//HERE IS THE PROBLEM:
(*g_env)->ReleaseStringUTFChars(g_env, j_topic, topic);
(*g_env)->ReleaseStringUTFChars(g_env, j_timestamp, timestamp);
(*g_env)->ReleaseStringUTFChars(g_env, j_value, value);
(*g_env)->ReleaseStringUTFChars(g_env, j_id, id);
//
(*g_vm)->DetachCurrentThread(g_vm);
}
and
void rep_actor(zsock_t *pipe, void *args) {
zsock_signal(pipe, 0);
while (!zsys_interrupted) {
char* timestamp;
char* sender;
char* command;
char* message;
zsock_recv(reply, "ssss", &timestamp, &sender, &command, &message);
char* result = onRequestReceived(timestamp, sender, command, message);
zsock_send(reply, "s", result);
//HERE IS THE PROBLEM:
free(timestamp);
free(sender);
free(command);
free(message);
free(result);
//
}
}
The error happens because you free memory twice. First time - by calling ReleaseStringUTFChars() inside of onMessageReceived(), second - outside of onMessageReceived() you call free() on every released pointer.
Important
You don't need release memory manually for objects created inside of java enviroment (calling of env->New*() methods). In your case:
// j_topic - it's a pointer for object inside of java heap
// garbage collector will free this memory
jstring j_topic = env->NewStringUTF(topic);
Call of ReleaseStringUTFChars() is inapropriate here. This used only when you create native string from java String using GetStringUTFChars():
// j_topic - string inside of java heap
const char* native_str = env->GetStringUTFChars(j_topic, isCopy);
// your logic for native_str array
// informs the VM that the native code no longer needs access to native_str
env->ReleaseStringUTFChars(j_topic, native_str);
Look at javadoc for methods GetStringUTFChars() and ReleaseStringUTFChars() - you should use they only together.

Global exception handler (access violations) under Windows

I'm trying to install some sort of first-chance exception handler which can resume execution after unprotecting (VirtualProtect()) the memory page.
(I'm trying to install some watchpoints; and no, the possibility of the VirtualAlloc function to set watchpoints is not what I need; there I cannot dynamically set and unset the watching state of memory regions/pages)
I've read in the last couple of days a lot about these SEH things, but actually most I can find is for setting function local exception handlers etc....
If I'm not wrong I need to set somehow something called FS[0] (which is thread-local?).
tl;dr
I'd like to know how to install a global first-chance (= possibility to resume code and retry last instruction) exception handler which can catch hardware exceptions (like access violations).
P.s.: I can use Assembly, C or C++, but no C# etc.
Note: I have the whole thing working under POSIX systems via sigaction on SIGSEGV, but there's no such thing for Windows as far as I can seeā€¦
#include <windows.h>
#include <stdio.h>
int xfilter(EXCEPTION_POINTERS *xp) {
int rc;
EXCEPTION_RECORD *xr = xp->ExceptionRecord;
CONTEXT *xc = xp->ContextRecord;
if(xr->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) {
++xc->Eip;//Advanced by one(Probably xc->Eip += 2)//http://msdn.microsoft.com/en-us/library/ms679284(v=vs.85).aspx
rc = EXCEPTION_CONTINUE_EXECUTION;
} else {
rc = EXCEPTION_CONTINUE_SEARCH;
}
return rc;
}
int main() {
EXCEPTION_POINTERS * xp;
char *p = NULL;
__try {
fprintf(stderr, "%s", "before\n");
*p = 'X';//Access Violation
fprintf(stderr, "%s", "after\n");
}
__except(xfilter(xp = GetExceptionInformation())) {
fprintf(stderr, "%s", "Exception occurred\n");//NO EXECUTE WHEN EXCEPTION_CONTINUE_EXECUTION
}
return 0;
}
/* result
before
after
*/

Resources