FPUpdater Fixes the Java 2.2250738585072012e-308 Bug

Oracle has released a fix for security alert CVE-2010-4476 — the “Java Hangs on 2.2250738585072012e-308 bug.” The fix comes in the form of something called the FPUpdater Tool, which updates rt.jar. I tested it on my Windows XP system and it works.

Running FPUpdater

I downloaded and extracted fpupdater.jar and then ran this command:

"C:\Program Files\Java\jre6\bin\java" -jar fpupdater.jar -u -v

This was the output (formatted for display):

FPUpdater
java.home: C:\Program Files\Java\jre6
java.vendor: Sun Microsystems Inc.
java.version: 1.6.0_23
os.name: Windows XP
Checking for update for major: 1.6.0 minor: 23
Retrieved update jar file from tool: C:\Program Files\Java\jre6\
 tmpUpdate2208012852213660487\tmpUpdate5228545869487358026.jar
Updating files. Please note this can take several minutes to run.
 Allow FPUpdater tool to complete.
Jar file C:\Program Files\Java\jre6\lib\rt.jar.fpupdater 
 succesfully verified.
Done backup of rt.jar to C:\Program Files\Java\jre6\lib\
 rt.jar.fpupdater
Extracting C:\Program Files\Java\jre6\lib\rt.jar to working copy 
C:\Program Files\Java\jre6\lib\tmpUpdate7145466411537220462\
 copyofRt.jar
Recreating rt.jar
Rebuilt.
Jar file C:\Program Files\Java\jre6\lib\
 tmpUpdate7145466411537220462\copyofRt.jar succesfully verified.
Moving working copy of rt.jar back to live rt.jar.
Update applied successfully to java.home path : 
 C:\Program Files\Java\jre6

I have two instances of the JRE,

My Java Installation
My Java Installation

so I had to run the tool a second time, as per these instructions:

“If you run more than one instance of the JRE, for example if you have an instance of the JRE inside a JDK bundle and another standalone JRE, you need to run the tool against each instance to update them.”

I used this command:

"C:\Program Files\Java\jdk1.6.0_23\jre\bin\java" -jar fpupdater.jar -u -v

(The output was similar.)

After executing FPUpdater twice, both the runtime and compile time hangs were fixed.

No Source Code Available Yet

The source code for the fix is not available yet, but I’m told it will be soon. The fix updates FloatingDecimal.java, but I don’t know if it is the suggested fix. I’ll keep you posted.

Dingbat

16 comments

  1. a quick decompile with jad shows that it indeed applies the suggested fix:
    $ diff new/FloatingDecimal.java old/FloatingDecimal.java
    1047c1047
    -1022 && –k3 if(bigIntNBits == 1 && bigIntExp > -1023 && –k3 < 0)

  2. a quick decompile with jad shows that it indeed applies the suggested fix:
    $ diff new/FloatingDecimal.java old/FloatingDecimal.java
    1047c1047
    l if(bigIntNBits == 1 && bigIntExp > -1022 && –k3 -1023 && –k3 < 0)

    sorry the previous comment is messed up because of matching angle-brackets …

  3. @Chris,

    Thanks — that also confirms they used the suggested fix:

    - if ( (bigIntNBits == 1) && (bigIntExp > -expBias) ){
    + if ( (bigIntNBits == 1) && (bigIntExp > -expBias+1) ){
    

    Also, I was pointed to this link: OpenJDK JDK6 changeset. It’s similar to your link, but it includes a different version of the simple testcase they added. I ran the testcase on the patched version of Oracle’s JRE — and it fails; this was the output:

    Testing subnormal powers of two.
    Exponent -1074, unexpected upper bound converted to 
     0x0.0000000000002p-1022, not 0x0.0000000000001p-1022.
    Exponent -1072, unexpected lower bound converted to
     0x0.0000000000003p-1022, not 0x0.0000000000004p-1022.
    Exponent -1070, unexpected lower bound converted to
     0x0.000000000000fp-1022, not 0x0.000000000001p-1022.
    Exponent -1069, unexpected lower bound converted to
     0x0.000000000001fp-1022, not 0x0.000000000002p-1022.
    Exponent -1068, unexpected lower bound converted to
     0x0.000000000003fp-1022, not 0x0.000000000004p-1022.
    Exponent -1067, unexpected lower bound converted to
     0x0.000000000007fp-1022, not 0x0.000000000008p-1022.
    Exponent -1066, unexpected lower bound converted to
     0x0.00000000000ffp-1022, not 0x0.00000000001p-1022.
    Exponent -1064, unexpected lower bound converted to
     0x0.00000000003ffp-1022, not 0x0.00000000004p-1022.
    Exponent -1063, unexpected lower bound converted to
     0x0.00000000007ffp-1022, not 0x0.00000000008p-1022.
    Exponent -1062, unexpected lower bound converted to
     0x0.0000000000fffp-1022, not 0x0.0000000001p-1022.
    Exponent -1060, unexpected lower bound converted to
     0x0.0000000003fffp-1022, not 0x0.0000000004p-1022.
    Exponent -1059, unexpected lower bound converted to
     0x0.0000000007fffp-1022, not 0x0.0000000008p-1022.
    Exponent -1058, unexpected lower bound converted to
     0x0.000000000ffffp-1022, not 0x0.000000001p-1022.
    Exponent -1057, unexpected lower bound converted to
     0x0.000000001ffffp-1022, not 0x0.000000002p-1022.
    Exponent -1056, unexpected lower bound converted to
     0x0.000000003ffffp-1022, not 0x0.000000004p-1022.
    Exponent -1055, unexpected lower bound converted to
     0x0.000000007ffffp-1022, not 0x0.000000008p-1022.
    Exponent -1054, unexpected lower bound converted to
     0x0.00000000fffffp-1022, not 0x0.00000001p-1022.
    Exponent -1053, unexpected lower bound converted to
     0x0.00000001fffffp-1022, not 0x0.00000002p-1022.
    Exponent -1052, unexpected lower bound converted to
     0x0.00000003fffffp-1022, not 0x0.00000004p-1022.
    Exponent -1051, unexpected lower bound converted to
     0x0.00000007fffffp-1022, not 0x0.00000008p-1022.
    Exponent -1049, unexpected lower bound converted to
     0x0.0000001ffffffp-1022, not 0x0.0000002p-1022.
    Exponent -1048, unexpected lower bound converted to
     0x0.0000003ffffffp-1022, not 0x0.0000004p-1022.
    Exponent -1046, unexpected lower bound converted to
     0x0.000000fffffffp-1022, not 0x0.000001p-1022.
    Exponent -1044, unexpected lower bound converted to
     0x0.000003fffffffp-1022, not 0x0.000004p-1022.
    Exponent -1043, unexpected lower bound converted to
     0x0.000007fffffffp-1022, not 0x0.000008p-1022.
    Exponent -1042, unexpected lower bound converted to
     0x0.00000ffffffffp-1022, not 0x0.00001p-1022.
    Exponent -1041, unexpected lower bound converted to
     0x0.00001ffffffffp-1022, not 0x0.00002p-1022.
    Exponent -1040, unexpected lower bound converted to
     0x0.00003ffffffffp-1022, not 0x0.00004p-1022.
    Exponent -1039, unexpected lower bound converted to
     0x0.00007ffffffffp-1022, not 0x0.00008p-1022.
    Exponent -1038, unexpected lower bound converted to
     0x0.0000fffffffffp-1022, not 0x0.0001p-1022.
    Exponent -1037, unexpected lower bound converted to
     0x0.0001fffffffffp-1022, not 0x0.0002p-1022.
    Exponent -1036, unexpected lower bound converted to
     0x0.0003fffffffffp-1022, not 0x0.0004p-1022.
    Exponent -1035, unexpected lower bound converted to
     0x0.0007fffffffffp-1022, not 0x0.0008p-1022.
    Exponent -1034, unexpected lower bound converted to
     0x0.000ffffffffffp-1022, not 0x0.001p-1022.
    Exponent -1033, unexpected lower bound converted to
     0x0.001ffffffffffp-1022, not 0x0.002p-1022.
    Exponent -1032, unexpected lower bound converted to
     0x0.003ffffffffffp-1022, not 0x0.004p-1022.
    Exponent -1031, unexpected lower bound converted to
     0x0.007ffffffffffp-1022, not 0x0.008p-1022.
    Exponent -1030, unexpected lower bound converted to
     0x0.00fffffffffffp-1022, not 0x0.01p-1022.
    Exponent -1029, unexpected lower bound converted to
     0x0.01fffffffffffp-1022, not 0x0.02p-1022.
    Exponent -1028, unexpected lower bound converted to
     0x0.03fffffffffffp-1022, not 0x0.04p-1022.
    Exponent -1027, unexpected lower bound converted to
     0x0.07fffffffffffp-1022, not 0x0.08p-1022.
    Exponent -1026, unexpected lower bound converted to
     0x0.0ffffffffffffp-1022, not 0x0.1p-1022.
    Exponent -1025, unexpected lower bound converted to
     0x0.1ffffffffffffp-1022, not 0x0.2p-1022.
    Exponent -1024, unexpected lower bound converted to
     0x0.3ffffffffffffp-1022, not 0x0.4p-1022.
    Exponent -1023, unexpected lower bound converted to
     0x0.7ffffffffffffp-1022, not 0x0.8p-1022.
    Exponent -1022, unexpected lower bound converted to
     0x0.fffffffffffffp-1022, not 0x1.0p-1022.
    

    I’m not sure if this means the testcase is wrong, the fix is wrong, or I did something wrong. I’ll investigate.

    |Update: None of the above — Java’s conversions are wrong! And this has nothing to do with the fix. (I guess I have something else to write about now.)

    |Update: I submitted a bug report: see Java bug report 7019078 and my article about it.

  4. Is this bug applicable to earlier jdk versions 1.4.x and 1.5.x ?
    Does “FpUpdater” patch relates to this versions?

  5. Yes, the FPUpdater seems to work with 1.4.x, 1.5.x and 1.6.x.

    The following information is from the Oracle readme:

    The FPUpdater tool is recommended for the Oracle JRE releases shown in the following table:
    J2SE 1.4.2 Required for updates prior to, and including, 1.4.2_29
    J2SE 5.0 Required for updates prior to, and including, 5.0u27
    J2SE for Embedded 5.0 Required for updates prior to, and including, 5.0u27
    Java SE 6 Required for updates prior to, and including, 6u23
    Java SE for Embedded 6 Required for updates prior to, and including, 6u23
    Java Real-Time System 2 Required for updates prior to, and including, 2.2u1
    JRockit R27 Required for updates prior to, and including, R27.6.8
    JRockit R28 Required for updates prior to, and including, R28.1.1

    Best Regards,
    Neale

  6. I received the critical update from Oracle, but the Oracle FPUpdater tool only works for Oracle Java [vendor]. I have Java 1.4.2 from IBM and have been trying to find info/patch from them. Does anyone know of an IBM fix for this issue?

    Thanks Bob

  7. Hi,

    i am unable to find fpupdater.jar from oracle’s website.

    Please tell me from where i can download this jar.

    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

(Cookies must be enabled to leave a comment...it reduces spam.)

Copyright © 2008-2024 Exploring Binary

Privacy policy

Powered by WordPress

css.php