-
Bug
-
Resolution: Fixed
-
P4
-
1.2.0
-
None
-
beta
-
generic
-
generic
-
Verified
Currently, serialization does not verify that serialPersistentFields-specified
fields are non-static. As a result, in 1.2-FCS through 1.2.2 it is possible to
change the value of static fields (including final ones) by serializing and
deserializing a class whose serialPersistentFields array references the static
fields.
The attached code demonstrates this bug by changing the value of the
serialPersistentFields field itself.
This bug also exists in 1.3; however, due to the use of native code for
setting/getting field values, the end result is less conspicuous: serialization
passes the native field ID for a static method to the JNI function
Set<type>Field(), which expects a non-static field ID. The result appears to
be memory corruption: Set<type>Field misinterprets the static variable's
address as an offset into the given object's data fields, which it then uses to
store the field value.
fields are non-static. As a result, in 1.2-FCS through 1.2.2 it is possible to
change the value of static fields (including final ones) by serializing and
deserializing a class whose serialPersistentFields array references the static
fields.
The attached code demonstrates this bug by changing the value of the
serialPersistentFields field itself.
This bug also exists in 1.3; however, due to the use of native code for
setting/getting field values, the end result is less conspicuous: serialization
passes the native field ID for a static method to the JNI function
Set<type>Field(), which expects a non-static field ID. The result appears to
be memory corruption: Set<type>Field misinterprets the static variable's
address as an offset into the given object's data fields, which it then uses to
store the field value.