RFR: JDK-8068155: [Findbugs]new sun.jvm.hotspot.utilities.ObjectReader() creates a sun.jvm.hotspot.utilities.ProcImageClassLoader classloader, which should be performed within a doPrivileged block

Sharath Ballal sharath.ballal at oracle.com
Fri Sep 16 08:47:24 UTC 2016 

I tried to do some experiments from my side to check if this issue could be hit, but I could not successfully do anything.  As per the discussion in this thread, I will close the bug as 'not an issue'.  Thanks all for the inputs.


-Sharath Ballal


-----Original Message-----
From: Dmitry Samersoff 
Sent: Thursday, September 15, 2016 4:19 PM
To: Harsha wardhana B; Sharath Ballal; David Holmes; serviceability-dev at openjdk.java.net
Subject: Re: RFR: JDK-8068155: [Findbugs]new sun.jvm.hotspot.utilities.ObjectReader() creates a sun.jvm.hotspot.utilities.ProcImageClassLoader classloader, which should be performed within a doPrivileged block

Sharath,

I don't see any requirements that ObjectReader should run with an application that install security manager but doesn't have RuntimePermission.createClassLoader

So I would recommend to close this bug as "not an issue".

-Dmitry

On 2016-09-15 06:38, Harsha wardhana B wrote:
> Hello,
> 
> It is not required that SA should be run under security manager to 
> address this change. Any standalone application when run under 
> security manager can use ObjectReader class to exploit 
> vulnerabilities. That is something that should be evaluated.
> 
> With the below fix any application when run under security manager 
> without RuntimePermission.createClassLoader will be able to create 
> ProcImageClassLoader. We need to check if it is something that is 
> desired and what vulnerabilities can be exploited, if any.
> 
> -Harsha
> 
> On 9/14/2016 5:58 PM, Sharath Ballal wrote:
>> David,
>>> That aside, the code uses raw types, which is bad. It should also be 
>>> able to retain the this(...) invocation e.g (I haven't compiled this):
>> This works, Thanks.
>>
>>
>> -Sharath Ballal
>>
>>
>>
>> -----Original Message-----
>> From: David Holmes
>> Sent: Wednesday, September 14, 2016 3:07 PM
>> To: Sharath Ballal;serviceability-dev at openjdk.java.net
>> Subject: Re: RFR: JDK-8068155: [Findbugs]new
>> sun.jvm.hotspot.utilities.ObjectReader() creates a 
>> sun.jvm.hotspot.utilities.ProcImageClassLoader classloader, which 
>> should be performed within a doPrivileged block
>>
>> Hi Sharath,
>>
>> On 14/09/2016 6:14 PM, Sharath Ballal wrote:
>>> Hello,
>>>
>>> Please review this fix to add creation of classloader code into 
>>> doPrivileged block
>>>
>>> Issue:https://bugs.openjdk.java.net/browse/JDK-8068155
>>>
>>> Webrev:http://cr.openjdk.java.net/~sballal/8068155/webrev.00/
>> First I'm also curious about why FindBugs thinks this is needed. 
>> AFAIK you use the doPrivileged to allow you to create the classLoader 
>> when it would otherwise fail if a SecurityManager were present.
>>
>> That aside, the code uses raw types, which is bad. It should also be 
>> able to retain the this(...) invocation e.g (I haven't compiled this):
>>
>>     public ObjectReader() {
>>         this(AccessController.doPrivileged(
>>            new PrivilegedAction<ClassLoader>() {
>>               public ClassLoader run() {
>>                  return new ProcImageClassLoader();
>>               }
>>            }
>>         ));
>>      }
>>
>> Thanks,
>> David
>>
>>> -Sharath Ballal
>>>
>>>
>>>
>>>
>>>
> 


--
Dmitry Samersoff
Oracle Java development team, Saint Petersburg, Russia
* I would love to change the world, but they won't give me the sources.

More information about the serviceability-dev mailing list