-
Bug
-
Resolution: Unresolved
-
P3
-
8u161
-
None
-
generic
-
generic
Issue raised in this discussion thread:
http://mail.openjdk.java.net/pipermail/security-dev/2018-March/016974.html
---
If you have a custom SecurityManager, you cannot use the built in sun.security.provider.PolicyFile because the class RBClassLoader cannot be initialized, due to a NullPointerException in it's static initializer:
[java] Caused by: java.lang.NullPointerException
[java] at java.util.ResourceBundle$RBClassLoader.<clinit>(ResourceBundle.java:502)
Which is just a null pointer dereference in RBClassLoaders static initializer block:
static {
// Find the extension class loader.
ClassLoader ld = ClassLoader.getSystemClassLoader();
ClassLoader parent;
while ((parent = ld.getParent()) != null) {
ld = parent;
}
loader = ld;
}
It should be:
static {
// Find the extension class loader.
ClassLoader ld = ClassLoader.getSystemClassLoader();
ClassLoader parent;
while (ld != null) {
parent = ld.getParent();
if (parent == null) break;
ld = parent;
}
loader = ld;
}
[java] Error occurred during initialization of VM
[java] java.lang.ExceptionInInitializerError
[java] at java.util.ResourceBundle.getLoader(ResourceBundle.java:482)
[java] at java.util.ResourceBundle.getBundle(ResourceBundle.java:783)
[java] at sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:47)
[java] at sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:44)
[java] at java.security.AccessController.doPrivileged(Native Method)
[java] at sun.security.util.ResourcesMgr.getString(ResourcesMgr.java:43)
[java] at sun.security.provider.PolicyFile.addGrantEntry(PolicyFile.java:888)
[java] at sun.security.provider.PolicyFile.init(PolicyFile.java:626)
[java] at sun.security.provider.PolicyFile.access$400(PolicyFile.java:258)
[java] at sun.security.provider.PolicyFile$3.run(PolicyFile.java:521)
[java] at sun.security.provider.PolicyFile$3.run(PolicyFile.java:495)
[java] at java.security.AccessController.doPrivileged(Native Method)
[java] at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:495)
[java] at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:480)
[java] at sun.security.provider.PolicyFile.init(PolicyFile.java:439)
[java] at sun.security.provider.PolicyFile.<init>(PolicyFile.java:297)
[java] at java.security.Policy.getPolicyNoCheck(Policy.java:196)
[java] at java.security.ProtectionDomain.implies(ProtectionDomain.java:285)
[java] at java.lang.System$1.run(System.java:316)
[java] Unexpected exception:
[java] java.io.IOException: The pipe is being closed
[java] at java.io.FileOutputStream.writeBytes(Native Method)
[java] at java.io.FileOutputStream.write(FileOutputStream.java:326)
[java] at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
[java] at java.io.BufferedOutputStream.write(BufferedOutputStream.java:126)
[java] at java.io.ObjectOutputStream$BlockDataOutputStream.drain(ObjectOutputStream.java:1877)
[java] at java.io.ObjectOutputStream$BlockDataOutputStream.setBlockDataMode(ObjectOutputStream.java:1786)
[java] at java.io.ObjectOutputStream.writeNonProxyDesc(ObjectOutputStream.java:1286)
[java] at java.io.ObjectOutputStream.writeClassDesc(ObjectOutputStream.java:1231)
[java] at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1427)
[java] at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
[java] at java.io.ObjectOutputStream.writeFatalException(ObjectOutputStream.java:1577)
[java] at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:351)
[java] at org.apache.river.qa.harness.MasterHarness.runTestOtherVM(MasterHarness.java:883)
[java] at org.apache.river.qa.harness.MasterHarness.access$200(MasterHarness.java:122)
[java] at org.apache.river.qa.harness.MasterHarness$TestRunner.run(MasterHarness.java:616)
[java] at org.apache.river.qa.harness.MasterHarness.runTests(MasterHarness.java:443)
[java] at org.apache.river.qa.harness.QARunner.main(QARunner.java:67)
[java]
[java] TIME: 5:52:12 PM
[java]
[java] at java.security.AccessController.doPrivileged(Native Method)
[java] at java.lang.System.setSecurityManager0(System.java:313)
[java] at java.lang.System.setSecurityManager(System.java:291)
[java] at sun.misc.Launcher.<init>(Launcher.java:101)
[java] at sun.misc.Launcher.<clinit>(Launcher.java:54)
[java] at java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1451)
[java] at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1436)
[java] Caused by: java.lang.NullPointerException
[java] at java.util.ResourceBundle$RBClassLoader.<clinit>(ResourceBundle.java:502)
[java] at java.util.ResourceBundle.getLoader(ResourceBundle.java:482)
[java] at java.util.ResourceBundle.getBundle(ResourceBundle.java:783)
[java] at sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:47)
[java] at sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:44)
[java] at java.security.AccessController.doPrivileged(Native Method)
[java] at sun.security.util.ResourcesMgr.getString(ResourcesMgr.java:43)
[java] at sun.security.provider.PolicyFile.addGrantEntry(PolicyFile.java:888)
[java] at sun.security.provider.PolicyFile.init(PolicyFile.java:626)
[java] at sun.security.provider.PolicyFile.access$400(PolicyFile.java:258)
[java] at sun.security.provider.PolicyFile$3.run(PolicyFile.java:521)
[java] at sun.security.provider.PolicyFile$3.run(PolicyFile.java:495)
[java] at java.security.AccessController.doPrivileged(Native Method)
[java] at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:495)
[java] at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:480)
[java] at sun.security.provider.PolicyFile.init(PolicyFile.java:439)
[java] at sun.security.provider.PolicyFile.<init>(PolicyFile.java:297)
[java] at java.security.Policy.getPolicyNoCheck(Policy.java:196)
[java] at java.security.ProtectionDomain.implies(ProtectionDomain.java:285)
[java] at java.lang.System$1.run(System.java:316)
[java] at java.security.AccessController.doPrivileged(Native Method)
[java] at java.lang.System.setSecurityManager0(System.java:313)
[java] at java.lang.System.setSecurityManager(System.java:291)
[java] at sun.misc.Launcher.<init>(Launcher.java:101)
[java] at sun.misc.Launcher.<clinit>(Launcher.java:54)
[java] at java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1451)
[java] at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1436)
In an earlier version of Java 1.8 RBClassLoader looked like this (it checked for null, so no NPE):
/**
* A wrapper of ClassLoader.getSystemClassLoader().
*/
private static class RBClassLoader extends ClassLoader {
private static final RBClassLoader INSTANCE = AccessController.doPrivileged(
new PrivilegedAction<RBClassLoader>() {
public RBClassLoader run() {
return new RBClassLoader();
}
});
private static final ClassLoader loader = ClassLoader.getSystemClassLoader();
private RBClassLoader() {
}
public Class<?> loadClass(String name) throws ClassNotFoundException {
if (loader != null) {
return loader.loadClass(name);
}
return Class.forName(name);
}
public URL getResource(String name) {
if (loader != null) {
return loader.getResource(name);
}
return ClassLoader.getSystemResource(name);
}
public InputStream getResourceAsStream(String name) {
if (loader != null) {
return loader.getResourceAsStream(name);
}
return ClassLoader.getSystemResourceAsStream(name);
}
}
In 1.8.0_162 it looks like this, see the null pointer dereference in the static initializer?:
/**
* A wrapper of Extension Class Loader
*/
private static class RBClassLoader extends ClassLoader {
private static final RBClassLoader INSTANCE = AccessController.doPrivileged(
new PrivilegedAction<RBClassLoader>() {
public RBClassLoader run() {
return new RBClassLoader();
}
});
private static final ClassLoader loader;
static {
// Find the extension class loader.
ClassLoader ld = ClassLoader.getSystemClassLoader();
ClassLoader parent;
while ((parent = ld.getParent()) != null) {
ld = parent;
}
loader = ld;
}
private RBClassLoader() {
}
public Class<?> loadClass(String name) throws ClassNotFoundException {
if (loader != null) {
return loader.loadClass(name);
}
return Class.forName(name);
}
public URL getResource(String name) {
if (loader != null) {
return loader.getResource(name);
}
return ClassLoader.getSystemResource(name);
}
public InputStream getResourceAsStream(String name) {
if (loader != null) {
return loader.getResourceAsStream(name);
}
return ClassLoader.getSystemResourceAsStream(name);
}
}
http://mail.openjdk.java.net/pipermail/security-dev/2018-March/016974.html
---
If you have a custom SecurityManager, you cannot use the built in sun.security.provider.PolicyFile because the class RBClassLoader cannot be initialized, due to a NullPointerException in it's static initializer:
[java] Caused by: java.lang.NullPointerException
[java] at java.util.ResourceBundle$RBClassLoader.<clinit>(ResourceBundle.java:502)
Which is just a null pointer dereference in RBClassLoaders static initializer block:
static {
// Find the extension class loader.
ClassLoader ld = ClassLoader.getSystemClassLoader();
ClassLoader parent;
while ((parent = ld.getParent()) != null) {
ld = parent;
}
loader = ld;
}
It should be:
static {
// Find the extension class loader.
ClassLoader ld = ClassLoader.getSystemClassLoader();
ClassLoader parent;
while (ld != null) {
parent = ld.getParent();
if (parent == null) break;
ld = parent;
}
loader = ld;
}
[java] Error occurred during initialization of VM
[java] java.lang.ExceptionInInitializerError
[java] at java.util.ResourceBundle.getLoader(ResourceBundle.java:482)
[java] at java.util.ResourceBundle.getBundle(ResourceBundle.java:783)
[java] at sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:47)
[java] at sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:44)
[java] at java.security.AccessController.doPrivileged(Native Method)
[java] at sun.security.util.ResourcesMgr.getString(ResourcesMgr.java:43)
[java] at sun.security.provider.PolicyFile.addGrantEntry(PolicyFile.java:888)
[java] at sun.security.provider.PolicyFile.init(PolicyFile.java:626)
[java] at sun.security.provider.PolicyFile.access$400(PolicyFile.java:258)
[java] at sun.security.provider.PolicyFile$3.run(PolicyFile.java:521)
[java] at sun.security.provider.PolicyFile$3.run(PolicyFile.java:495)
[java] at java.security.AccessController.doPrivileged(Native Method)
[java] at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:495)
[java] at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:480)
[java] at sun.security.provider.PolicyFile.init(PolicyFile.java:439)
[java] at sun.security.provider.PolicyFile.<init>(PolicyFile.java:297)
[java] at java.security.Policy.getPolicyNoCheck(Policy.java:196)
[java] at java.security.ProtectionDomain.implies(ProtectionDomain.java:285)
[java] at java.lang.System$1.run(System.java:316)
[java] Unexpected exception:
[java] java.io.IOException: The pipe is being closed
[java] at java.io.FileOutputStream.writeBytes(Native Method)
[java] at java.io.FileOutputStream.write(FileOutputStream.java:326)
[java] at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
[java] at java.io.BufferedOutputStream.write(BufferedOutputStream.java:126)
[java] at java.io.ObjectOutputStream$BlockDataOutputStream.drain(ObjectOutputStream.java:1877)
[java] at java.io.ObjectOutputStream$BlockDataOutputStream.setBlockDataMode(ObjectOutputStream.java:1786)
[java] at java.io.ObjectOutputStream.writeNonProxyDesc(ObjectOutputStream.java:1286)
[java] at java.io.ObjectOutputStream.writeClassDesc(ObjectOutputStream.java:1231)
[java] at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1427)
[java] at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
[java] at java.io.ObjectOutputStream.writeFatalException(ObjectOutputStream.java:1577)
[java] at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:351)
[java] at org.apache.river.qa.harness.MasterHarness.runTestOtherVM(MasterHarness.java:883)
[java] at org.apache.river.qa.harness.MasterHarness.access$200(MasterHarness.java:122)
[java] at org.apache.river.qa.harness.MasterHarness$TestRunner.run(MasterHarness.java:616)
[java] at org.apache.river.qa.harness.MasterHarness.runTests(MasterHarness.java:443)
[java] at org.apache.river.qa.harness.QARunner.main(QARunner.java:67)
[java]
[java] TIME: 5:52:12 PM
[java]
[java] at java.security.AccessController.doPrivileged(Native Method)
[java] at java.lang.System.setSecurityManager0(System.java:313)
[java] at java.lang.System.setSecurityManager(System.java:291)
[java] at sun.misc.Launcher.<init>(Launcher.java:101)
[java] at sun.misc.Launcher.<clinit>(Launcher.java:54)
[java] at java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1451)
[java] at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1436)
[java] Caused by: java.lang.NullPointerException
[java] at java.util.ResourceBundle$RBClassLoader.<clinit>(ResourceBundle.java:502)
[java] at java.util.ResourceBundle.getLoader(ResourceBundle.java:482)
[java] at java.util.ResourceBundle.getBundle(ResourceBundle.java:783)
[java] at sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:47)
[java] at sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:44)
[java] at java.security.AccessController.doPrivileged(Native Method)
[java] at sun.security.util.ResourcesMgr.getString(ResourcesMgr.java:43)
[java] at sun.security.provider.PolicyFile.addGrantEntry(PolicyFile.java:888)
[java] at sun.security.provider.PolicyFile.init(PolicyFile.java:626)
[java] at sun.security.provider.PolicyFile.access$400(PolicyFile.java:258)
[java] at sun.security.provider.PolicyFile$3.run(PolicyFile.java:521)
[java] at sun.security.provider.PolicyFile$3.run(PolicyFile.java:495)
[java] at java.security.AccessController.doPrivileged(Native Method)
[java] at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:495)
[java] at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:480)
[java] at sun.security.provider.PolicyFile.init(PolicyFile.java:439)
[java] at sun.security.provider.PolicyFile.<init>(PolicyFile.java:297)
[java] at java.security.Policy.getPolicyNoCheck(Policy.java:196)
[java] at java.security.ProtectionDomain.implies(ProtectionDomain.java:285)
[java] at java.lang.System$1.run(System.java:316)
[java] at java.security.AccessController.doPrivileged(Native Method)
[java] at java.lang.System.setSecurityManager0(System.java:313)
[java] at java.lang.System.setSecurityManager(System.java:291)
[java] at sun.misc.Launcher.<init>(Launcher.java:101)
[java] at sun.misc.Launcher.<clinit>(Launcher.java:54)
[java] at java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1451)
[java] at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1436)
In an earlier version of Java 1.8 RBClassLoader looked like this (it checked for null, so no NPE):
/**
* A wrapper of ClassLoader.getSystemClassLoader().
*/
private static class RBClassLoader extends ClassLoader {
private static final RBClassLoader INSTANCE = AccessController.doPrivileged(
new PrivilegedAction<RBClassLoader>() {
public RBClassLoader run() {
return new RBClassLoader();
}
});
private static final ClassLoader loader = ClassLoader.getSystemClassLoader();
private RBClassLoader() {
}
public Class<?> loadClass(String name) throws ClassNotFoundException {
if (loader != null) {
return loader.loadClass(name);
}
return Class.forName(name);
}
public URL getResource(String name) {
if (loader != null) {
return loader.getResource(name);
}
return ClassLoader.getSystemResource(name);
}
public InputStream getResourceAsStream(String name) {
if (loader != null) {
return loader.getResourceAsStream(name);
}
return ClassLoader.getSystemResourceAsStream(name);
}
}
In 1.8.0_162 it looks like this, see the null pointer dereference in the static initializer?:
/**
* A wrapper of Extension Class Loader
*/
private static class RBClassLoader extends ClassLoader {
private static final RBClassLoader INSTANCE = AccessController.doPrivileged(
new PrivilegedAction<RBClassLoader>() {
public RBClassLoader run() {
return new RBClassLoader();
}
});
private static final ClassLoader loader;
static {
// Find the extension class loader.
ClassLoader ld = ClassLoader.getSystemClassLoader();
ClassLoader parent;
while ((parent = ld.getParent()) != null) {
ld = parent;
}
loader = ld;
}
private RBClassLoader() {
}
public Class<?> loadClass(String name) throws ClassNotFoundException {
if (loader != null) {
return loader.loadClass(name);
}
return Class.forName(name);
}
public URL getResource(String name) {
if (loader != null) {
return loader.getResource(name);
}
return ClassLoader.getSystemResource(name);
}
public InputStream getResourceAsStream(String name) {
if (loader != null) {
return loader.getResourceAsStream(name);
}
return ClassLoader.getSystemResourceAsStream(name);
}
}