RFR: 8148854: Class names "SomeClass" and "LSomeClass;" treated by JVM as an equivalent
Rachel Protacio
rachel.protacio at oracle.com
Thu Aug 25 13:29:17 UTC 2016
Thanks for the review, Lois! I'll make that alteration and check it in.
Rachel
On 8/25/2016 8:42 AM, Lois Foltan wrote:
> Hi Rachel,
>
> Looks good. Only a stylistic comment:
>
> - src/share/vm/classfile/classFileParser.cpp
> Consider changing the new relax_format_check_for() method to only take
> one parameter, "ClassLoaderData loader_data" and change the setting of
> the local variable "trusted" to:
>
> bool trusted = (loader_data->is_the_null_class_loader_data() ||
> SystemDictionary::is_platform_class_loader(loader_data->class_loader()));
>
> Thanks,
> Lois
>
> On 8/16/2016 4:21 PM, Rachel Protacio wrote:
>> Hi,
>>
>> Bug summary: fuzzing a class file so that the class name "SomeClass"
>> is instead "LSomeClass;" passed unnoticed through the VM because it
>> was not format checked by default and the L; were stripped off before
>> lookup.
>>
>> This fix makes sure that all class names loaded by the app class
>> loader are format checked by default. The
>> Verifier::relax_verify_for() function that was previously used for
>> both format checking (setting _relax_verify) and reflection (as an
>> access check) has been renamed to relax_access_for() specifically for
>> its use in reflection.cpp. A relax_format_check_for() function has
>> been added to classFileParser.cpp to address the format checking,
>> only "relaxing" the check if loaded by the boot loader or platform
>> class loader.
>>
>> This fix adds a jtreg test, and the change passes JCK vm tests and
>> WLS tests, in addition to JPRT and RBT hotspot_all and non-colo
>> tests. A compatibility request has been approved for this change.
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8148854
>> Open webrev: http://cr.openjdk.java.net/~rprotacio/8148854.00/
>>
>> Thanks!
>> Rachel
>
More information about the hotspot-runtime-dev
mailing list