Skip to content

8365203: defineClass with direct buffer can cause use-after-free #26724

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
+88 −4
Open

8365203: defineClass with direct buffer can cause use-after-free #26724

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
dabf859
Guard ClassLoader::defineClass2
minborg Aug 11, 2025
62c32ac
Update copyright year
minborg Aug 11, 2025
4e95bae
Add test
minborg Aug 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 13 additions & 4 deletions src/java.base/share/classes/java/lang/ClassLoader.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2013, 2024, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 2025, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2019, Azul Systems, Inc. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
Expand Down Expand Up @@ -52,6 +52,7 @@
import java.util.stream.Stream;
import java.util.stream.StreamSupport;

import jdk.internal.access.SharedSecrets;
import jdk.internal.loader.BootLoader;
import jdk.internal.loader.BuiltinClassLoader;
import jdk.internal.loader.ClassLoaders;
Expand Down Expand Up @@ -1049,14 +1050,22 @@ protected final Class<?> defineClass(String name, java.nio.ByteBuffer b,

protectionDomain = preDefineClass(name, protectionDomain);
String source = defineClassSourceLocation(protectionDomain);
Class<?> c = defineClass2(this, name, b, b.position(), len, protectionDomain, source);
postDefineClass(c, protectionDomain);
return c;

SharedSecrets.getJavaNioAccess().acquireSession(b);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that the fields in SharedSecrets are @Stable, we do not have to make a local copy in a static final field.

try {
Class<?> c = defineClass2(this, name, b, b.position(), len, protectionDomain, source);
postDefineClass(c, protectionDomain);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we leave postDefineClass out of this acquire-release scope? I don't see any reason including this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it matters here because something looking to close the arena around the time that it wants to defineClass with memory allocated from that arena is broken.

return c;
} finally {
SharedSecrets.getJavaNioAccess().releaseSession(b);
}
}

static native Class<?> defineClass1(ClassLoader loader, String name, byte[] b, int off, int len,
ProtectionDomain pd, String source);

// Warning: Before calling this method, the provided ByteBuffer must be guarded
// via JavaNioAccess::(acquire|release)Session
static native Class<?> defineClass2(ClassLoader loader, String name, java.nio.ByteBuffer b,
int off, int len, ProtectionDomain pd,
String source);
Expand Down
75 changes: 75 additions & 0 deletions test/jdk/java/lang/ClassLoader/defineClass/GuardByteBuffer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
/*
* Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

/*
* @test
* @bug 8365203
* @summary Tests guarding of ByteBuffers in ClassLoader::defineClass
* @run junit GuardByteBuffer
*/

import org.junit.jupiter.api.Test;

import java.lang.foreign.Arena;
import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.ThreadLocalRandom;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.LockSupport;

final class GuardByteBuffer {

@Test
void guardCrash() throws InterruptedException {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was not able to reproduce the crash using this test on a Mac. The original reproducer worked on a Windows machine.

final var cl = new ClassLoader() {
void tryCrash() {
var arena = Arena.ofConfined();
int size = 65536;
var byteBuffer = arena.allocate(size).asByteBuffer();
for (int i = 0; i < size; i += Long.BYTES) {
byteBuffer.putLong(i, ThreadLocalRandom.current().nextLong());
}
// Close the arena underneath
arena.close();
defineClass(null, byteBuffer, null);
}
};
final List<Thread> threads = new ArrayList<>();
for (int i = 0; i < Runtime.getRuntime().availableProcessors(); i++) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This means all cores spinning for 20s - we'll have to see if it causes any side effects and slow down of other tests that happen to run at the same time in other agent VMs (make run-test uses concurrency by default).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, tier 1 tests are recommended to run for 10 seconds.

threads.add(Thread.ofPlatform().start(() -> forAWhile(cl::tryCrash)));
}
for (var thread : threads) {
thread.join();
}
}

static void forAWhile(Runnable runnable) {
final long deadLine = System.nanoTime() + TimeUnit.SECONDS.toNanos(20);
while (System.nanoTime() < deadLine) {
try {
runnable.run();
} catch (Throwable _) { }
}
}

}