Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8236582

(fc) FileChannel.map fails with InternalError when security manager enabled

    Details

    • Subcomponent:
    • Resolved In Build:
      b32
    • CPU:
      x86_64
    • OS:
      linux_ubuntu
    • Verification:
      Verified

      Backports

        Description

        ADDITIONAL SYSTEM INFORMATION :
        openjdk 14-ea 2020-03-17
        OpenJDK Runtime Environment (build 14-ea+29-1384)
        OpenJDK 64-Bit Server VM (build 14-ea+29-1384, mixed mode, sharing)

        Linux 4.15.0-72-generic #81-Ubuntu

        A DESCRIPTION OF THE PROBLEM :
        With security on, FileChannel.map fails with InternalError:

        Exception in thread "main" java.lang.InternalError: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
        at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:46)
        at java.base/sun.nio.ch.FileChannelImpl.isSync(FileChannelImpl.java:1119)
        at java.base/sun.nio.ch.FileChannelImpl.map(FileChannelImpl.java:994)
        at FileChannelExtendedMapModeBug.main(FileChannelExtendedMapModeBug.java:11)
        Caused by: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
        at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
        at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
        at java.base/java.lang.invoke.MethodHandles.privateLookupIn(MethodHandles.java:223)
        at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:42)

        This works fine in java 13. It was encountered during Elasticsearch CI here: https://github.com/elastic/elasticsearch/issues/50512 and can be reproduced with following program:

        import java.io.IOException;
        import java.nio.channels.FileChannel;
        import java.nio.file.Files;
        import java.nio.file.Path;

        public class FileChannelExtendedMapModeBug {
            public static void main(String[] args) throws IOException {
                Path tempFile = Files.createTempFile("test", "test");
                FileChannel ch = FileChannel.open(tempFile);
                System.setSecurityManager(new SecurityManager());
                ch.map(FileChannel.MapMode.READ_ONLY, 0, 0);
            }
        }

        The static initializer in ExtendedMapMode seems to be the cause, requiring elevated permissions. By map'ing a file before enabling security, the issue goes away.

        REGRESSION : Last worked in version 13.0.1

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Compile and run the program above using java 14 (fails) and java 13 (works).

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        The ability to use FileChannel.map with security on.
        ACTUAL -
        Program to reproduce gave this:

        Exception in thread "main" java.lang.InternalError: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
        at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:46)
        at java.base/sun.nio.ch.FileChannelImpl.isSync(FileChannelImpl.java:1119)
        at java.base/sun.nio.ch.FileChannelImpl.map(FileChannelImpl.java:994)
        at FileChannelExtendedMapModeBug.main(FileChannelExtendedMapModeBug.java:13)
        Caused by: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
        at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
        at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
        at java.base/java.lang.invoke.MethodHandles.privateLookupIn(MethodHandles.java:223)
        at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:42)
        ... 3 more

        Elasticsearch CI gave this:

        org.elasticsearch.test.CorruptionUtilsTests > testLuceneCheckIndexIgnoresLast4Bytes FAILED
            java.lang.InternalError: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
                at __randomizedtesting.SeedInfo.seed([F5460B55BBCC2378:70578525AA44A9A7]:0)
                at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:46)
                at java.base/sun.nio.ch.FileChannelImpl.isSync(FileChannelImpl.java:1119)
                at java.base/sun.nio.ch.FileChannelImpl.map(FileChannelImpl.java:994)
                at org.apache.lucene.mockfile.FilterFileChannel.map(FilterFileChannel.java:121)
                at org.apache.lucene.mockfile.FilterFileChannel.map(FilterFileChannel.java:121)
                at org.apache.lucene.mockfile.FilterFileChannel.map(FilterFileChannel.java:121)
                at org.apache.lucene.store.MMapDirectory.map(MMapDirectory.java:267)
                at org.apache.lucene.store.MMapDirectory.openInput(MMapDirectory.java:242)
                at org.apache.lucene.util.LuceneTestCase.slowFileExists(LuceneTestCase.java:2862)
                at org.apache.lucene.store.MockDirectoryWrapper.openInput(MockDirectoryWrapper.java:747)
                at org.apache.lucene.store.FilterDirectory.openInput(FilterDirectory.java:100)
                at org.apache.lucene.store.FilterDirectory.openInput(FilterDirectory.java:100)
                at org.apache.lucene.store.Directory.openChecksumInput(Directory.java:157)
                at org.apache.lucene.index.SegmentInfos.readCommit(SegmentInfos.java:287)
                at org.apache.lucene.index.IndexWriter.<init>(IndexWriter.java:846)
                at org.elasticsearch.index.store.Store.newAppendingIndexWriter(Store.java:1541)
                at org.elasticsearch.index.store.Store.associateIndexWithNewTranslog(Store.java:1448)
                at org.elasticsearch.index.shard.StoreRecovery.internalRecoverFromStore(StoreRecovery.java:416)
                at org.elasticsearch.index.shard.StoreRecovery.lambda$recoverFromStore$0(StoreRecovery.java:94)
                at org.elasticsearch.action.ActionListener.completeWith(ActionListener.java:285)
                at org.elasticsearch.index.shard.StoreRecovery.recoverFromStore(StoreRecovery.java:92)
                at org.elasticsearch.index.shard.IndexShard.recoverFromStore(IndexShard.java:1841)
                at org.elasticsearch.index.shard.IndexShardTestCase.recoverFromStore(IndexShardTestCase.java:799)
                at org.elasticsearch.index.shard.IndexShardTestCase.recoverShardFromStore(IndexShardTestCase.java:550)
                at org.elasticsearch.index.shard.IndexShardTestCase.newStartedShard(IndexShardTestCase.java:512)
                at org.elasticsearch.index.shard.IndexShardTestCase.newStartedShard(IndexShardTestCase.java:499)
                at org.elasticsearch.index.shard.IndexShardTestCase.newStartedShard(IndexShardTestCase.java:477)
                at org.elasticsearch.test.CorruptionUtilsTests.testLuceneCheckIndexIgnoresLast4Bytes(CorruptionUtilsTests.java:45)
                Caused by:
                java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
                    at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
                    at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
                    at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
                    at java.base/java.lang.invoke.MethodHandles.privateLookupIn(MethodHandles.java:223)
                    at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:42)
                    ... 27 more

        ---------- BEGIN SOURCE ----------

        import java.io.IOException;
        import java.nio.channels.FileChannel;
        import java.nio.file.Files;
        import java.nio.file.Path;

        public class FileChannelExtendedMapModeBug {
            public static void main(String[] args) throws IOException {
                Path tempFile = Files.createTempFile("test", "test");
                FileChannel ch = FileChannel.open(tempFile);

                System.setSecurityManager(new SecurityManager());
                ch.map(FileChannel.MapMode.READ_ONLY, 0, 0);
            }
        }

        ---------- END SOURCE ----------

        CUSTOMER SUBMITTED WORKAROUND :
        Use FileChannel.map before enabling security.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  bpb Brian Burkhalter
                  Reporter:
                  webbuggrp Webbug Group
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: