RFR: 8156071: List.of: reduce array copying during creation

Stuart Marks smarks at openjdk.java.net
Tue Oct 6 17:48:09 UTC 2020


On Tue, 6 Oct 2020 05:07:37 GMT, Tagir F. Valeev <tvaleev at openjdk.org> wrote:

>> Sorry to be late to the party. I thought that all reviews labeled with core-libs should be mirrored to core-libs-dev
>> mailing list but I haven't seen it there :(
>> Please note that the integrated implementation exposes listFromTrustedArray to everybody. No dirty unsafe reflection is
>> necessary, only single unchecked cast:
>>   static <T> List<T> untrustedArrayToList(T[] array) {
>>     @SuppressWarnings("unchecked")
>>     Function<List<T>, List<T>> finisher =
>>         (Function<List<T>, List<T>>) Collectors.<T>toUnmodifiableList().finisher();
>>     ArrayList<T> list = new ArrayList<>() {
>>       @Override
>>       public Object[] toArray() {
>>         return array;
>>       }
>>     };
>>     return finisher.apply(list);
>>   }
>> 
>> This might be qualified as a security issue.
>
> This could be fixed by adding a classword check to the finisher, like this:
> 
>                                    list -> {
>                                         if (list.getClass() != ArrayList.class) {
>                                             throw new IllegalArgumentException();
>                                         }
>                                         return (List<T>) SharedSecrets.getJavaUtilCollectionAccess()
>                                            .listFromTrustedArray(list.toArray());
>                                    },

Thanks for pointing this out. I've filed bug [JDK-8254090](https://bugs.openjdk.java.net/browse/JDK-8254090). I think
we're ok as long as this gets fixed before JDK 16 ships.

I think the notification messages for this did end up on core-libs-dev, but perhaps there were some email delays over
the weekend.

-------------

PR: https://git.openjdk.java.net/jdk/pull/449



More information about the security-dev mailing list