Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8262922

Randomise mapped CDS address and relocate pointers by default

    XMLWordPrintable

    Details

    • Subcomponent:
    • CPU:
      x86_64
    • OS:
      linux

      Description

      ADDITIONAL SYSTEM INFORMATION :
      Ubuntu Focal with jdk-16+14

      A DESCRIPTION OF THE PROBLEM :
      The CDS archive is mapped as RWX to a static location (usually 0x800000000) and contains frequently-executed trampolines for CDS methods. This allows shellcode to be run with only an arbitrary-write vulnerability, whereas if the address was randomised a memory leak would also be required. Here's a poc using sun.misc.Unsafe to spray a 0xCC (INT3) instruction to the beginning of the CDS region, which is then executed and triggers a SIGTRAP signal:
      ```
      import sun.misc.Unsafe;
      import java.lang.reflect.Field;
      class demo {
        private static Unsafe getUnsafe() throws IllegalAccessException, NoSuchFieldException {
            Field f = Unsafe.class.getDeclaredField("theUnsafe");
            f.setAccessible(true);
            return (Unsafe) f.get(null);
        }

        public static void main(String argv[]) throws Exception {
          byte opcode = (byte)(0xcc & 0xff);
          for(int i = 0; i < 500; i++) {
             getUnsafe().putByte(0x800000000l + i, opcode);
          }
        }
      }
      ```.
      Benchmarks from JDK-8231610 show around an eight-millisecond performance degradation when using a system-chosen (randomised) address and relocating pointers within the CDS archive.
      =====
      This could be fixed by making the default behaviour not to use FileMapHeader::_requested_base_address, and behave in the same way as if the SharedBaseAddress (when the archive was dumped) was 0.


        Attachments

          Issue Links

            Activity

              People

              Assignee:
              iklam Ioi Lam
              Reporter:
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated: