'RE: RFR: JDK-8068155: [Findbugs]new sun.jvm.hotspot.utilities.ObjectReader() creates a'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-serviceability-dev
Subject:    RE: RFR: JDK-8068155: [Findbugs]new sun.jvm.hotspot.utilities.ObjectReader() creates a
From:       Sharath Ballal <sharath.ballal () oracle ! com>
Date:       2016-09-16 8:47:24
Message-ID: 7d5acf26-3db2-4bab-a3c5-3f187b1fd40c () default
[Download RAW message or body]

I tried to do some experiments from my side to check if this issue could be hit, but \
I could not successfully do anything.  As per the discussion in this thread, I will \
close the bug as 'not an issue'.  Thanks all for the inputs.


-Sharath Ballal


-----Original Message-----
From: Dmitry Samersoff 
Sent: Thursday, September 15, 2016 4:19 PM
To: Harsha wardhana B; Sharath Ballal; David Holmes; \
                serviceability-dev@openjdk.java.net
Subject: Re: RFR: JDK-8068155: [Findbugs]new sun.jvm.hotspot.utilities.ObjectReader() \
creates a sun.jvm.hotspot.utilities.ProcImageClassLoader classloader, which should be \
performed within a doPrivileged block

Sharath,

I don't see any requirements that ObjectReader should run with an application that \
install security manager but doesn't have RuntimePermission.createClassLoader

So I would recommend to close this bug as "not an issue".

-Dmitry

On 2016-09-15 06:38, Harsha wardhana B wrote:
> Hello,
> 
> It is not required that SA should be run under security manager to 
> address this change. Any standalone application when run under 
> security manager can use ObjectReader class to exploit 
> vulnerabilities. That is something that should be evaluated.
> 
> With the below fix any application when run under security manager 
> without RuntimePermission.createClassLoader will be able to create 
> ProcImageClassLoader. We need to check if it is something that is 
> desired and what vulnerabilities can be exploited, if any.
> 
> -Harsha
> 
> On 9/14/2016 5:58 PM, Sharath Ballal wrote:
> > David,
> > > That aside, the code uses raw types, which is bad. It should also be 
> > > able to retain the this(...) invocation e.g (I haven't compiled this):
> > This works, Thanks.
> > 
> > 
> > -Sharath Ballal
> > 
> > 
> > 
> > -----Original Message-----
> > From: David Holmes
> > Sent: Wednesday, September 14, 2016 3:07 PM
> > To: Sharath Ballal;serviceability-dev@openjdk.java.net
> > Subject: Re: RFR: JDK-8068155: [Findbugs]new
> > sun.jvm.hotspot.utilities.ObjectReader() creates a 
> > sun.jvm.hotspot.utilities.ProcImageClassLoader classloader, which 
> > should be performed within a doPrivileged block
> > 
> > Hi Sharath,
> > 
> > On 14/09/2016 6:14 PM, Sharath Ballal wrote:
> > > Hello,
> > > 
> > > Please review this fix to add creation of classloader code into 
> > > doPrivileged block
> > > 
> > > Issue:https://bugs.openjdk.java.net/browse/JDK-8068155
> > > 
> > > Webrev:http://cr.openjdk.java.net/~sballal/8068155/webrev.00/
> > First I'm also curious about why FindBugs thinks this is needed. 
> > AFAIK you use the doPrivileged to allow you to create the classLoader 
> > when it would otherwise fail if a SecurityManager were present.
> > 
> > That aside, the code uses raw types, which is bad. It should also be 
> > able to retain the this(...) invocation e.g (I haven't compiled this):
> > 
> > public ObjectReader() {
> > this(AccessController.doPrivileged(
> > new PrivilegedAction<ClassLoader>() {
> > public ClassLoader run() {
> > return new ProcImageClassLoader();
> > }
> > }
> > ));
> > }
> > 
> > Thanks,
> > David
> > 
> > > -Sharath Ballal
> > > 
> > > 
> > > 
> > > 
> > > 
> 


--
Dmitry Samersoff
Oracle Java development team, Saint Petersburg, Russia
* I would love to change the world, but they won't give me the sources.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic