RFR: 8188858: Caching latestUserDefinedLoader() results in ObjectInputStream.readObject()
Kazunori Ogata
OGATAK at jp.ibm.com
Thu Oct 12 06:07:59 UTC 2017
Hi Alan,
Thank you for your comment. I was not fully aware of the possibility of
attacking...
I updated the patch to check if the current thread is the same as the
thread cached the loader.
Updated webreb: http://cr.openjdk.java.net/~horii/8188858/webrev.01/
Regards,
Ogata
From: Alan Bateman <Alan.Bateman at oracle.com>
To: Kazunori Ogata <OGATAK at jp.ibm.com>
Cc: core-libs-dev at openjdk.java.net
Date: 2017/10/10 21:41
Subject: Re: RFR: 8188858: Caching latestUserDefinedLoader()
results in ObjectInputStream.readObject()
On 10/10/2017 10:50, Kazunori Ogata wrote:
> Hi Alan,
>
> Thank you for your comment.
>
> I agree that the current code is not thread safe, but I think OIS itself
> is not thread safe either. The issue you pointed out occurs when two
> threads calls readObject()/readUnshared() simultaneously, and the result
> of such situation is undefined in any way in my understanding. Do we
need
> to ensure the same behavior for such an error case?
OIS is very interesting to attackers so you will need to take deliberate
abuses of the API into account. I realize it's a pain but it's one of
the reasons why we have to be cautious about optimizations in this area.
-Alan
More information about the core-libs-dev
mailing list