Wed, 21 May 2014 10:56:41 -0700
Added tag jdk8u20-b15 for changeset 8c785f9bde6f
aoqi@0 | 1 | |
aoqi@0 | 2 | import java.lang.reflect.*; |
aoqi@0 | 3 | import java.security.*; |
aoqi@0 | 4 | |
aoqi@0 | 5 | abstract public class bug_21227 { |
aoqi@0 | 6 | |
aoqi@0 | 7 | // Jam anything you want in here, it will be cast to a You_Have_Been_P0wned |
aoqi@0 | 8 | public static Object _p0wnee; |
aoqi@0 | 9 | |
aoqi@0 | 10 | public static void main(String argv[]) throws ClassNotFoundException, InstantiationException, IllegalAccessException { |
aoqi@0 | 11 | System.out.println("Warmup"); |
aoqi@0 | 12 | |
aoqi@0 | 13 | // Make a Class 'many_loader' under the default loader |
aoqi@0 | 14 | bug_21227 bug = new many_loader(); |
aoqi@0 | 15 | |
aoqi@0 | 16 | // Some classes under a new Loader, LOADER2, including another version of 'many_loader' |
aoqi@0 | 17 | ClassLoader LOADER2 = new Loader2(); |
aoqi@0 | 18 | Class clazz2 = LOADER2.loadClass("from_loader2"); |
aoqi@0 | 19 | IFace iface = (IFace)clazz2.newInstance(); |
aoqi@0 | 20 | |
aoqi@0 | 21 | // Set the victim, a String of length 6 |
aoqi@0 | 22 | String s = "victim"; |
aoqi@0 | 23 | _p0wnee = s; |
aoqi@0 | 24 | |
aoqi@0 | 25 | // Go cast '_p0wnee' to type You_Have_Been_P0wned |
aoqi@0 | 26 | many_loader[] x2 = bug.make(iface); |
aoqi@0 | 27 | |
aoqi@0 | 28 | many_loader b = x2[0]; |
aoqi@0 | 29 | |
aoqi@0 | 30 | // Make it clear that the runtime type many_loader (what we get from the |
aoqi@0 | 31 | // array X2) varies from the static type of many_loader. |
aoqi@0 | 32 | Class cl1 = b.getClass(); |
aoqi@0 | 33 | ClassLoader ld1 = cl1.getClassLoader(); |
aoqi@0 | 34 | Class cl2 = many_loader.class; |
aoqi@0 | 35 | ClassLoader ld2 = cl2.getClassLoader(); |
aoqi@0 | 36 | System.out.println("bug.make() "+ld1+":"+cl1); |
aoqi@0 | 37 | System.out.println("many_loader "+ld2+":"+cl2); |
aoqi@0 | 38 | |
aoqi@0 | 39 | // Read the victims guts out |
aoqi@0 | 40 | You_Have_Been_P0wned q = b._p0wnee; |
aoqi@0 | 41 | System.out.println("q._a = 0x"+Integer.toHexString(q._a)); |
aoqi@0 | 42 | System.out.println("q._b = 0x"+Integer.toHexString(q._b)); |
aoqi@0 | 43 | System.out.println("q._c = 0x"+Integer.toHexString(q._c)); |
aoqi@0 | 44 | System.out.println("q._d = 0x"+Integer.toHexString(q._d)); |
aoqi@0 | 45 | |
aoqi@0 | 46 | System.out.println("I will now crash the VM:"); |
aoqi@0 | 47 | // On 32-bit HotSpot Java6 this sets the victim String length shorter, then crashes the VM |
aoqi@0 | 48 | //q._c = 3; |
aoqi@0 | 49 | q._a = -1; |
aoqi@0 | 50 | |
aoqi@0 | 51 | System.out.println(s); |
aoqi@0 | 52 | |
aoqi@0 | 53 | } |
aoqi@0 | 54 | |
aoqi@0 | 55 | // I need to compile (hence call in a loop) a function which returns a value |
aoqi@0 | 56 | // loaded from classloader other than the system one. The point of this |
aoqi@0 | 57 | // call is to give me an abstract 'hook' into a function loaded with a |
aoqi@0 | 58 | // foreign loader. |
aoqi@0 | 59 | public abstract many_loader[] make( IFace iface ); // abstract factory |
aoqi@0 | 60 | } |
aoqi@0 | 61 |