On Wed, 3 Feb 2021 18:34:55 GMT, Mandy Chung <mch...@openjdk.org> wrote:
>> You are right, got it confused with the future use. >> >> With this fix, MethodHandle -> Method.invoke -> MethodHandles.lookup() will >> still return a lookup on the injected invoker. >> I somehow missed that this is not part of the fix, but for the future use. > > `MethodHandle -> Method.invoke -> MethodHandles.lookup() ` is a corner case > that can be fixed easily using the class data approach. See the new commit. The security issue I mentioned was in an other branch, method-invoke. I used commit https://github.com/mlchung/jdk/commit/4a3c914f1b46cf84b42f6b6bc19d421955faac3f (i.e. before strengthening the injected invoker checks) to test the [my exploit](https://gist.github.com/DasBrain/4dda6cc3a13e1636afe17e6a02ec3d12). (Yes, full sandbox escape.) I hope the same is not possible with the nestmate requirement. PS.: Hidden Class -> MethodHandle -> Method.invoke -> MethodHandles might break due to mangling of the hidden class name for the injected invoker. Will write a test. ------------- PR: https://git.openjdk.java.net/jdk/pull/2367
