RFR: JDK-8068155: [Findbugs]new sun.jvm.hotspot.utilities.ObjectReader() creates a sun.jvm.hotspot.utilities.ProcImageClassLoader classloader, which should be performed within a doPrivileged block

Sundararajan Athijegannathan sundararajan.athijegannathan at oracle.com
Thu Sep 15 10:54:12 UTC 2016 

+1

PS.

* SA module does not export any package - as of now, only jhsdb is the
only way to use SA. So, most findbugs findings are noise. i.e., user
code or any code outside SA module cannot access SA programmatically.

Only way is to use command line switches of Java launcher - if untrusted
code can do that [it cannot!], all doomed anyway :)

-Sundar

On 9/15/2016 4:19 PM, Dmitry Samersoff wrote:
> Sharath,
>
> I don't see any requirements that ObjectReader should run with an
> application that install security manager but doesn't have
> RuntimePermission.createClassLoader
>
> So I would recommend to close this bug as "not an issue".
>
> -Dmitry
>
> On 2016-09-15 06:38, Harsha wardhana B wrote:
>> Hello,
>>
>> It is not required that SA should be run under security manager to
>> address this change. Any standalone application when run under security
>> manager can use ObjectReader class to exploit vulnerabilities. That is
>> something that should be evaluated.
>>
>> With the below fix any application when run under security manager
>> without RuntimePermission.createClassLoader will be able to create
>> ProcImageClassLoader. We need to check if it is something that is
>> desired and what vulnerabilities can be exploited, if any.
>>
>> -Harsha
>>
>> On 9/14/2016 5:58 PM, Sharath Ballal wrote:
>>> David,
>>>> That aside, the code uses raw types, which is bad. It should also be
>>>> able to retain the this(...) invocation e.g (I haven't compiled this):
>>> This works, Thanks.
>>>
>>>
>>> -Sharath Ballal
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: David Holmes
>>> Sent: Wednesday, September 14, 2016 3:07 PM
>>> To: Sharath Ballal;serviceability-dev at openjdk.java.net
>>> Subject: Re: RFR: JDK-8068155: [Findbugs]new
>>> sun.jvm.hotspot.utilities.ObjectReader() creates a
>>> sun.jvm.hotspot.utilities.ProcImageClassLoader classloader, which
>>> should be performed within a doPrivileged block
>>>
>>> Hi Sharath,
>>>
>>> On 14/09/2016 6:14 PM, Sharath Ballal wrote:
>>>> Hello,
>>>>
>>>> Please review this fix to add creation of classloader code into
>>>> doPrivileged block
>>>>
>>>> Issue:https://bugs.openjdk.java.net/browse/JDK-8068155
>>>>
>>>> Webrev:http://cr.openjdk.java.net/~sballal/8068155/webrev.00/
>>> First I'm also curious about why FindBugs thinks this is needed. AFAIK
>>> you use the doPrivileged to allow you to create the classLoader when
>>> it would otherwise fail if a SecurityManager were present.
>>>
>>> That aside, the code uses raw types, which is bad. It should also be
>>> able to retain the this(...) invocation e.g (I haven't compiled this):
>>>
>>>     public ObjectReader() {
>>>         this(AccessController.doPrivileged(
>>>            new PrivilegedAction<ClassLoader>() {
>>>               public ClassLoader run() {
>>>                  return new ProcImageClassLoader();
>>>               }
>>>            }
>>>         ));
>>>      }
>>>
>>> Thanks,
>>> David
>>>
>>>> -Sharath Ballal
>>>>
>>>>
>>>>
>>>>
>>>>
>

More information about the serviceability-dev mailing list