RFR: 8188858: Caching latestUserDefinedLoader() results in ObjectInputStream.readObject()

Kazunori Ogata OGATAK at jp.ibm.com
Thu Oct 12 06:07:59 UTC 2017


Hi Alan,

Thank you for your comment.  I was not fully aware of the possibility of 
attacking...

I updated the patch to check if the current thread is the same as the 
thread cached the loader.

Updated webreb: http://cr.openjdk.java.net/~horii/8188858/webrev.01/


Regards,
Ogata



From:   Alan Bateman <Alan.Bateman at oracle.com>
To:     Kazunori Ogata <OGATAK at jp.ibm.com>
Cc:     core-libs-dev at openjdk.java.net
Date:   2017/10/10 21:41
Subject:        Re: RFR: 8188858: Caching latestUserDefinedLoader() 
results in ObjectInputStream.readObject()



On 10/10/2017 10:50, Kazunori Ogata wrote:
> Hi Alan,
>
> Thank you for your comment.
>
> I agree that the current code is not thread safe, but I think OIS itself
> is not thread safe either.  The issue you pointed out occurs when two
> threads calls readObject()/readUnshared() simultaneously, and the result
> of such situation is undefined in any way in my understanding.  Do we 
need
> to ensure the same behavior for such an error case?
OIS is very interesting to attackers so you will need to take deliberate 
abuses of the API into account. I realize it's a pain but it's one of 
the reasons why we have to be cautious about optimizations in this area.

-Alan






More information about the core-libs-dev mailing list