Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8304932

MethodTypeDescImpl can be mutated by argument passed to MethodTypeDesc.of

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P4 P4
    • 21
    • 20, 21
    • core-libs
    • None
    • b26

      If a malicious actor holds a reference to the argument array passed to MethodTypeDesc.of factory, it can mutate a supposingly immutable MethodTypeDesc and create an illegal MethodTypeDesc.

          jshell> import java.lang.constant.*;
          
          jshell> import java.lang.invoke.*;
          
          jshell> import static java.lang.constant.ConstantDescs.*;
          
          jshell> ClassDesc[] args = { CD_int, CD_Long};
          args ==> ClassDesc[2] { PrimitiveClassDesc[int], ClassDesc[Long] }
          
          jshell> var mtd = MethodTypeDesc.of(CD_void, args);
          mtd ==> MethodTypeDesc[(int,Long)void]
          
          jshell> mtd
          mtd ==> MethodTypeDesc[(int,Long)void]
          
          jshell> args[1] = CD_void
          $7 ==> PrimitiveClassDesc[void]
          
          jshell> mtd
          mtd ==> MethodTypeDesc[(int,void)void]

      I recommend changing MethodTypeDescImpl to be list-backed than array-backed to reduce allocations on `parameterList` calls too.

            liach Chen Liang
            liach Chen Liang
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: