A Bug involving MethodHandles, Nestmates, Reflection and @CallerSensitive
Johannes Kuhn
info at j-kuhn.de
Mon Jan 18 23:13:05 UTC 2021
Thanks Mandy.
Yes, @CS is a complicated beast.
I also implemented a part of JDK-6824466 for my "proxies should use
hidden classes prototype". (Only for the "constructor for
serialization", as hidden classes can't be mentioned in the constant pool.)
For the @CS method that can be called virtually -
Thread.getContextClassLoader, I thought about those two interfaces:
interface GetCCLClassLoader {ClassLoader getContextClassLoader(); }
interface GetCCLObject {Object getContextClassLoader(); }
Insight: If a class extends Thread and implements GetCCLObject, javac
will add a bridge method - which is the caller now. Have to think more
about what this actually means.
The entire topic is very complex - but my current believe is that
JDK-6824466 is a basic building block for a lot of other work in that
area. It also has quite a few prototypes that have been developed
independently - suggesting that it is indeed a basic building block.
I did a quick look though your prototype, one question I could not
answer was "what prevents me from naming my hidden class
Something$$InjectedInvoker?".
I will try to dig deeper into that, sure. I don't think that there will
be any fully satisfying solution in the next months. And then I have to
convince people that those changes don't expose any security issues -
which will be quite hard.
But if you have some starter bugs that I could fix, let me know, might
help to get some reputation and familiarity with the entire process.
Thank you for your time listening to my ideas, I appreciate it :).
- Johannes
On 18-Jan-21 22:52, Mandy Chung wrote:
> Hi Johannes,
>
> There has been a couple of the prototypes regarding @CS methods (Alan
> did one and I did another) in the context of JDK-6824466. There are lots
> of security consideration regarding @CS methods. You are welcome to go
> deeper in that area. If you are looking for starter bugs to fix, that
> won't be a quick patch.
>
> I also came up with a patch for JDK-8013527 when working on
> JDK-6824466. It's buried in
> https://github.com/openjdk/jdk/compare/master...mlchung:method-invoke. I
> will extract that fix and post a PR on my proposed fix.
>
> Mandy
>
> On 1/16/21 10:07 AM, Johannes Kuhn wrote:
>> After digging though the JBS, I found this comment from John Rose[1].
>>
>> I like the general idea, but I don't think it's necessary to use a
>> native method as stub. Instead it could be written like this:
>>
>> class Class {
>> @CallerSensitive
>> @ForceInline
>> public static Class<?> forName(String name) {
>> return forName(name, Reflection.getCallerClass());
>> }
>> private static Class<?> forName(String name, Class<?> caller) {
>> // original implementation
>> }
>> }
>>
>> By doing this, binding to the caller could be done by returning a
>> MethodHandle that actually calls the private method - with the lookup
>> class injected as argument (MethodHandles.insertArguments).
>>
>> Problem are methods that could be virtually invoked
>> (getContextClassLoader). Therefore it might be useful to keep the old
>> binding logic around. It also reduces the number of places where this
>> change has to be done - it's only required for the
>> hyper- at CallerSensitive methods.
>>
>> I will try to write a prototype that demonstrates that this approach
>> is feasible.
>>
>> - Johannes
>>
>> [1]:
>> https://bugs.openjdk.java.net/browse/JDK-8020968?focusedCommentId=13611844&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13611844
>>
>> On 09-Dec-20 21:09, Johannes Kuhn wrote:
>>> On 09-Dec-20 19:44, Mandy Chung wrote:
>>>>
>>>>
>>>> On 12/8/20 6:02 PM, Johannes Kuhn wrote:
>>>>> There are a lot of things to consider when trying to fix JDK-8013527.
>>>>
>>>> Exactly in particular security implication! What is clear is that
>>>> the expected lookup class should not be the injected class. The
>>>> key message here is that we can't fix JDK-8257874 until we fix
>>>> JDK-8013527 unfortunately.
>>>>
>>>> Mandy
>>>>
>>> Yeah, if JDK-8013527 is fixed it might fix JDK-8257874 as a byproduct.
>>> If Lookup.lookup() can determine the original caller, then
>>> Field.set*/Method.invoke could do the same.
>>> Special care has to be taken that no other class could spoof such an
>>> injected invoker.
>>>
>>> Too complicated for me :). JDK-8013527 needs a sound design to
>>> approach fixing it IMHO.
>>>
>>> - Johannes
>>>
>
More information about the core-libs-dev
mailing list