RFR: 8368097: [asan] heap-buffer-overflow reported in ClassFileParser::skip_over_field_signature
Johan Sjölen
jsjolen at openjdk.org
Tue Sep 30 08:31:58 UTC 2025
On Fri, 26 Sep 2025 12:59:56 GMT, Johan Sjölen <jsjolen at openjdk.org> wrote:
> Hi,
>
> `skip_over_field_name` may produce a pointer which is exactly one `char` of bounds, which is the dereferenced by `skip_over_field_signature` when it looks for a semi-colon. This causes an out-of-bounds read, which ASAN caught. The fix is to check whether it's OK to dereference `p` or not.
>
> We keep the semantics the same other than that, so `skip_over_field_signature` and `skip_over_field_name` can both return a pointer which is one past the valid memory range. Creating such a pointer is explicitly not UB, but dereferencing it is.
src/hotspot/share/classfile/classFileParser.cpp line 4689:
> 4687: p[0] == JVM_SIGNATURE_ENDCLASS) {
> 4688: return p + 1;
> 4689: }
Should probably do the equivalent length check that is done in other callees.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27528#discussion_r2382375179
More information about the hotspot-runtime-dev
mailing list