On Wed, 3 Feb 2021 19:42:16 GMT, Johannes Kuhn <github.com+652983+dasbr...@openjdk.org> wrote:
>> `MethodHandle -> Method.invoke -> MethodHandles.lookup() ` is a corner case >> that can be fixed easily using the class data approach. See the new commit. > > The security issue I mentioned was in an other branch, method-invoke. > > I used commit > https://github.com/mlchung/jdk/commit/4a3c914f1b46cf84b42f6b6bc19d421955faac3f > (i.e. before strengthening the injected invoker checks) to test the [my > exploit](https://gist.github.com/DasBrain/4dda6cc3a13e1636afe17e6a02ec3d12). > (Yes, full sandbox escape.) > > I hope the same is not possible with the nestmate requirement. > > PS.: Hidden Class -> MethodHandle -> Method.invoke -> MethodHandles might > break due to mangling of the hidden class name for the injected invoker. Will > write a test. Well, my branch `method-invoke` is a prototype and work-in-progress. I won't dig too much to it. Do you reproduce the issue with this patch? The fix will ensure it's the invoker class injected by BindCaller. ------------- PR: https://git.openjdk.java.net/jdk/pull/2367
