JDK-8020801 : Apply the restriction of invoking MethodHandles.lookup to j.l.r.Method.invoke
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.lang.invoke
  • Affected Version: 9
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2013-07-18
  • Updated: 2017-07-19
  • Resolved: 2017-05-09
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 10 JDK 9
10Fixed 9 b169Fixed
Related Reports
Relates :  
JDK-8179950 - Custom system class loader using Enum.valueOf in its initialization triggers java.lang.InternalError
Relates :  
JDK-8154447 - Exempt classes under java.util.concurrent from MH.Lookup restrictions
Description
The fix for JDK-8017196 has implemented a point fix to disallow MethodHandles.lookup be called by most of the bootstrap code.  It is a "Big Hammer" approach to closing that door, because it closes a bunch of harmless doors also. Given the fact that the JDK code does not use MHs.lookup() at present, it is an acceptable point fix.

The goal is to prevent invocation by uncontrolled jlr.Method.invoke of MethodHandles.lookup.  

The point fix is fragile.  It forces people who want to use it later (like the code in sun.invoke.util does) to add a string manually to the white list logic, adding a new set of (minor) risks.

There is no harm in having random JDK code (outside of the MH implementation itself) call MHs.lookup.  Or rather, the harm would consist of the JDK code doing something really dumb, which is returning the Lookup object (with all its capabilities) to an untrusted caller.  That would be bad but it is unlikely to occur.

We should make the restriction apply to jlr.Method.invoke only.  John has an initial prototype (attached).
Comments
This is approved for JDK 9 as privateLookupIn is otherwise broken for target classes in the core modules. It also impacts instrumentation where code is instrumented to create Lookup objects in privileged contexts.
03-05-2017
JDK 9 Fix Request: The current restriction breaks Lookup::privateLookupIn() when the lookup class is java.* and sun.* (with some exception) [1] We should fix this in JDK 9. [1] http://mail.openjdk.java.net/pipermail/jigsaw-dev/2017-April/012267.html
02-05-2017