Details
P4 Description
ADDITIONAL SYSTEM INFORMATION :
Ubuntu Focal with jdk-16+14
A DESCRIPTION OF THE PROBLEM :
The CDS archive is mapped as RWX to a static location (usually 0x800000000) and contains frequently-executed trampolines for CDS methods. This allows shellcode to be run with only an arbitrary-write vulnerability, whereas if the address was randomised a memory leak would also be required. Here's a poc using sun.misc.Unsafe to spray a 0xCC (INT3) instruction to the beginning of the CDS region, which is then executed and triggers a SIGTRAP signal:
```
import sun.misc.Unsafe;
import java.lang.reflect.Field;
class demo {
private static Unsafe getUnsafe() throws IllegalAccessException, NoSuchFieldException {
Field f = Unsafe.class.getDeclaredField("theUnsafe");
f.setAccessible(true);
return (Unsafe) f.get(null);
}
public static void main(String argv[]) throws Exception {
byte opcode = (byte)(0xcc & 0xff);
for(int i = 0; i < 500; i++) {
getUnsafe().putByte(0x800000000l + i, opcode);
}
}
}
```.
Benchmarks fromJDK-8231610 show around an eight-millisecond performance degradation when using a system-chosen (randomised) address and relocating pointers within the CDS archive.
=====
This could be fixed by making the default behaviour not to use FileMapHeader::_requested_base_address, and behave in the same way as if the SharedBaseAddress (when the archive was dumped) was 0.
Ubuntu Focal with jdk-16+14
A DESCRIPTION OF THE PROBLEM :
The CDS archive is mapped as RWX to a static location (usually 0x800000000) and contains frequently-executed trampolines for CDS methods. This allows shellcode to be run with only an arbitrary-write vulnerability, whereas if the address was randomised a memory leak would also be required. Here's a poc using sun.misc.Unsafe to spray a 0xCC (INT3) instruction to the beginning of the CDS region, which is then executed and triggers a SIGTRAP signal:
```
import sun.misc.Unsafe;
import java.lang.reflect.Field;
class demo {
private static Unsafe getUnsafe() throws IllegalAccessException, NoSuchFieldException {
Field f = Unsafe.class.getDeclaredField("theUnsafe");
f.setAccessible(true);
return (Unsafe) f.get(null);
}
public static void main(String argv[]) throws Exception {
byte opcode = (byte)(0xcc & 0xff);
for(int i = 0; i < 500; i++) {
getUnsafe().putByte(0x800000000l + i, opcode);
}
}
}
```.
Benchmarks from
=====
This could be fixed by making the default behaviour not to use FileMapHeader::_requested_base_address, and behave in the same way as if the SharedBaseAddress (when the archive was dumped) was 0.
Attachments
Issue Links
- duplicates
-
JDK-8231610 Relocate the CDS archive if it cannot be mapped to the requested address
-
- Resolved
-
- relates to
-
-
- Resolved
-
-
-
- Resolved
-