RFR: 8365203: defineClass with direct buffer can cause use-after-free

[Alan Bateman]

On Mon, 11 Aug 2025 14:35:00 GMT, Chen Liang <liach at openjdk.org> wrote:

>> ### Description
>> This PR proposes to update the `ClassLoader` implementation to properly guard access to the provided `ByteBuffer` when defining a class using `defineClass(String, ByteBuffer, ...)`. Specifically, calls to `SharedSecrets.getJavaNioAccess().acquireSession(ByteBuffer)` and `releaseSession(ByteBuffer)` have been introduced to ensure safe and consistent buffer access throughout the native class definition process, even in the case of a `ByteBuffer` is backed by a `MemorySegment`.
>> 
>> ### Impact
>> This modification is internal to the `ClassLoader` implementation and does not affect the public API.
>> Improves the robustness and security of class loading from buffers.
>> 
>> ### Testing
>> Tier 1, 2, and 3 JDK tests pass on multiple platforms.
>
> src/java.base/share/classes/java/lang/ClassLoader.java line 1057:
> 
>> 1055:         try {
>> 1056:             Class<?> c = defineClass2(this, name, b, b.position(), len, protectionDomain, source);
>> 1057:             postDefineClass(c, protectionDomain);
> 
> Should we leave postDefineClass out of this acquire-release scope? I don't see any reason including this.

I don't think it matters here because something looking to close the arena around the time that it wants to defineClass with memory allocated from that arena is broken.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26724#discussion_r2267048060