[concurrency-interest] FutureTask.cancel(true) should run thread.interrupt within doPrivileged

David Holmes david.holmes at oracle.com
Thu Oct 3 02:06:23 UTC 2013


On 3/10/2013 3:02 AM, Doug Lea wrote:
> On 10/02/2013 12:29 PM, Martin Buchholz wrote:
>> FutureTask.cancel(true) invokes thread.interrupt on the thread (if any)
>> currently running the task.
>> This should succeed even if modifyThread permission is denied by the
>> security
>> manager.
>>
>
> We haven't interpreted "should" in this way in the past here or in
> related contexts, but I don't see are reason not to,  pending any
> objections by security folks.

We have been tightening the conditions under which interrupts can be 
issued, so relaxing them in this way is simply not acceptable.

David
-----

> -Doug
>
>
>> Here's a proposed fix for jdk8+:
>>
>> --- src/main/java/util/concurrent/FutureTask.java15 May 2013 02:39:59
>> -00001.103
>> +++ src/main/java/util/concurrent/FutureTask.java2 Oct 2013 16:25:23
>> -0000
>> @@ -132,6 +132,12 @@
>>           return state != NEW;
>>       }
>> +    private static void privilegedInterrupt(Thread t) {
>> +        java.security.PrivilegedAction<Void> doInterrupt =
>> +            () -> { t.interrupt(); return null; };
>> +        java.security.AccessController.doPrivileged(doInterrupt);
>> +    }
>> +
>>       public boolean cancel(boolean mayInterruptIfRunning) {
>>           if (!(state == NEW &&
>>                 UNSAFE.compareAndSwapInt(this, stateOffset, NEW,
>> @@ -142,7 +148,11 @@
>>                   try {
>>                       Thread t = runner;
>>                       if (t != null)
>> -                        t.interrupt();
>> +                        try {
>> +                            t.interrupt();
>> +                        } catch (SecurityException e) {
>> +                            privilegedInterrupt(t);
>> +                        }
>>                   } finally { // final state
>>                       UNSAFE.putOrderedInt(this, stateOffset,
>> INTERRUPTED);
>>                   }
>>
>>
>>
>> _______________________________________________
>> Concurrency-interest mailing list
>> Concurrency-interest at cs.oswego.edu
>> http://cs.oswego.edu/mailman/listinfo/concurrency-interest
>>
>



More information about the security-dev mailing list