RFR: 8188858: Caching latestUserDefinedLoader() results in ObjectInputStream.readObject()

Alan Bateman Alan.Bateman at oracle.com
Thu Oct 12 13:17:48 UTC 2017


On 12/10/2017 07:07, Kazunori Ogata wrote:
> Hi Alan,
>
> Thank you for your comment.  I was not fully aware of the possibility of
> attacking...
>
> I updated the patch to check if the current thread is the same as the
> thread cached the loader.
>
> Updated webreb: http://cr.openjdk.java.net/~horii/8188858/webrev.01/
>
This is better but it still not safe. You'll have to atomically set/get 
the cachedLoader or put it into a thread local to ensure that 
resolveClass picks up the loader cached by the current thread. A thread 
local could work too although (needs study) it might need a reference to 
the OIS to guard against nested deserialization with a different stream.

-Alan


More information about the core-libs-dev mailing list