RFR: 8365203: defineClass with direct buffer can cause use-after-free
Chen Liang
liach at openjdk.org
Mon Aug 11 15:02:15 UTC 2025
On Mon, 11 Aug 2025 14:55:00 GMT, Alan Bateman <alanb at openjdk.org> wrote:
>> ### Description
>> This PR proposes to update the `ClassLoader` implementation to properly guard access to the provided `ByteBuffer` when defining a class using `defineClass(String, ByteBuffer, ...)`. Specifically, calls to `SharedSecrets.getJavaNioAccess().acquireSession(ByteBuffer)` and `releaseSession(ByteBuffer)` have been introduced to ensure safe and consistent buffer access throughout the native class definition process, even in the case of a `ByteBuffer` is backed by a `MemorySegment`.
>>
>> ### Impact
>> This modification is internal to the `ClassLoader` implementation and does not affect the public API.
>> Improves the robustness and security of class loading from buffers.
>>
>> ### Testing
>> Tier 1, 2, and 3 JDK tests pass on multiple platforms.
>
> test/jdk/java/lang/ClassLoader/defineClass/GuardByteBuffer.java line 58:
>
>> 56: };
>> 57: final List<Thread> threads = new ArrayList<>();
>> 58: for (int i = 0; i < Runtime.getRuntime().availableProcessors(); i++) {
>
> This means all cores spinning for 20s - we'll have to see if it causes any side effects and slow down of other tests that happen to run at the same time in other agent VMs (make run-test uses concurrency by default).
Indeed, tier 1 tests are recommended to run for 10 seconds.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26724#discussion_r2267053263
More information about the core-libs-dev
mailing list