RFR: 8365203: defineClass with direct buffer can cause use-after-free [v2]
Per Minborg
pminborg at openjdk.org
Tue Aug 26 11:22:57 UTC 2025
> ### Description
> This PR proposes to update the `ClassLoader` implementation to properly guard access to the provided `ByteBuffer` when defining a class using `defineClass(String, ByteBuffer, ...)`. Specifically, calls to `SharedSecrets.getJavaNioAccess().acquireSession(ByteBuffer)` and `releaseSession(ByteBuffer)` have been introduced to ensure safe and consistent buffer access throughout the native class definition process, even in the case of a `ByteBuffer` is backed by a `MemorySegment`.
>
> ### Impact
> This modification is internal to the `ClassLoader` implementation and does not affect the public API.
> Improves the robustness and security of class loading from buffers.
>
> ### Testing
> Tier 1, 2, and 3 JDK tests pass on multiple platforms.
Per Minborg has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains five additional commits since the last revision:
- Improve test
- Merge branch 'master' into bb-defineclass
- Add test
- Update copyright year
- Guard ClassLoader::defineClass2
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/26724/files
- new: https://git.openjdk.org/jdk/pull/26724/files/4e95baea..e6ad2a53
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=26724&range=01
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=26724&range=00-01
Stats: 23580 lines in 773 files changed: 12256 ins; 8196 del; 3128 mod
Patch: https://git.openjdk.org/jdk/pull/26724.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/26724/head:pull/26724
PR: https://git.openjdk.org/jdk/pull/26724
More information about the core-libs-dev
mailing list