Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JavaScript引擎rhino与Javassist结合存在严重漏洞 #27

Closed
oldmanpushcart opened this issue Nov 30, 2014 · 1 comment
Closed

JavaScript引擎rhino与Javassist结合存在严重漏洞 #27

oldmanpushcart opened this issue Nov 30, 2014 · 1 comment
Assignees
@oldmanpushcart
Labels
bug

Comments

@oldmanpushcart
Copy link
Owner

使用Javassist进行编织的代码中,如果混入JavaScript引擎rhino所组织的代码,会引起JVM崩溃。触发的时机在YaungGC发生的时候,如果对象被GC掉,但仍然有命令在通过rhino所组织的代码访问该对象时,会引起JVM崩溃。

#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGBUS (0xa) at pc=0x0000000796a2a9f8, pid=11844, tid=4867
#
# JRE version: Java(TM) SE Runtime Environment (8.0_25-b17) (build 1.8.0_25-b17)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.25-b02 mixed mode bsd-amd64 compressed oops)
# Problematic frame:
# C  0x0000000796a2a9f8
#
# Core dump written. Default location: /cores/core or core.11844
#
# An error report file with more information is saved as:
# /Users/vlinux/temp/hs_err_pid11844.log
Compiled method (c1)   41756 3032       3       java.lang.invoke.LambdaForm$MH/556442004::getObjectField (23 bytes)
 total in heap  [0x000000010878d010,0x000000010878d7e8] = 2008
 relocation     [0x000000010878d138,0x000000010878d188] = 80
 main code      [0x000000010878d1a0,0x000000010878d5e0] = 1088
 stub code      [0x000000010878d5e0,0x000000010878d670] = 144
 oops           [0x000000010878d670,0x000000010878d678] = 8
 metadata       [0x000000010878d678,0x000000010878d6a8] = 48
 scopes data    [0x000000010878d6a8,0x000000010878d740] = 152
 scopes pcs     [0x000000010878d740,0x000000010878d7c0] = 128
 dependencies   [0x000000010878d7c0,0x000000010878d7d0] = 16
 nul chk table  [0x000000010878d7d0,0x000000010878d7e8] = 24
^C^C^CAbort trap: 6 (core dumped)

与此同时,jstat看到的GC情况

  S0     S1     E      O      M     CCS    YGC     YGCT    FGC    FGCT     GCT    LGCC                 GCC                 
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC               
 99.68   0.00  97.73   1.93  94.35  88.62      2    0.012     1    0.009    0.020 Allocation Failure   No GC

可以看到在触发YGC的时候,引起了错误
@oldmanpushcart oldmanpushcart self-assigned this Nov 30, 2014
@oldmanpushcart
Copy link
Owner Author

在1.5.4.0中修复,用ognl替换javascript

This was referenced Dec 1, 2014
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oldmanpushcart oldmanpushcart

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@oldmanpushcart