From 8e86440a32501360bfb76e3fadfdf765a958275f Mon Sep 17 00:00:00 2001 From: Jiri Vanek Date: Thu, 17 Dec 2020 14:17:05 +0100 Subject: [PATCH] Added checks and restrictions around alt-java --- java-11-openjdk.spec | 19 ++++++++++++++++++- rh1750419-redhat_alt_java.patch | 11 ++++++++--- 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index d9d8821..7ce6e7c 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -101,6 +101,8 @@ %global shenandoah_arches x86_64 %{aarch64} # Set of architectures for which we build the Z garbage collector %global zgc_arches x86_64 +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64 # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -259,7 +261,7 @@ %global top_level_dir_name %{origin} %global minorver 0 %global buildver 11 -%global rpmrelease 5 +%global rpmrelease 6 #%%global tagsuffix "" # priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit %if %is_system_jdk @@ -1598,6 +1600,16 @@ $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") $JAVA_HOME/bin/javac -d . %{SOURCE15} $JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||") +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +%ifarch %{ssbd_arches} +nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +%else +if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +%endif + # Check debug symbols in static libraries (smoke test) export STATIC_LIBS_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{static_libs_image} readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c @@ -1974,6 +1986,11 @@ require "copy_jdk_configs.lua" %changelog +* Thu Dec 17 2020 Andrew Hughes - 1:11.0.9.11-6 +- introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched +- patch600 rh1750419-redhat_alt_java.patch amended to die, if it is used wrongly +- introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures + * Tue Dec 01 2020 Jiri Vanek - 1:11.0.9.11-5 - removed patch6, rh1566890-CVE_2018_3639-speculative_store_bypass.patch, surpassed by new patch - added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch index a7b7fdc..e6355f2 100644 --- a/rh1750419-redhat_alt_java.patch +++ b/rh1750419-redhat_alt_java.patch @@ -1,12 +1,13 @@ diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk --- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100 +++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100 -@@ -41,6 +41,15 @@ +@@ -41,6 +41,16 @@ OPTIMIZATION := HIGH, \ )) ++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c +$(eval $(call SetupBuildLauncher, alt-java, \ -+ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA, \ ++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \ + LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \ + LIBS_windows := user32.lib comctl32.lib, \ + EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \ @@ -98,12 +99,16 @@ diff -r 25e94aa812b2 src/share/bin/alt_main.h diff -r 25e94aa812b2 src/share/bin/main.c --- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300 +++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100 -@@ -34,6 +34,10 @@ +@@ -34,6 +34,14 @@ #include "jli_util.h" #include "jni.h" ++#ifdef REDHAT_ALT_JAVA +#if defined(__linux__) && defined(__x86_64__) +#include "alt_main.h" ++#else ++#warning alt-java requested but SSB mitigation not available on this platform. ++#endif +#endif + #ifdef _MSC_VER