JDK-8262922 : Randomise mapped CDS address and relocate pointers by default
  • Type: Enhancement
  • Component: hotspot
  • Sub-Component: runtime
  • Affected Version: 16
  • Priority: P4
  • Status: Open
  • Resolution: Unresolved
  • OS: linux
  • CPU: x86_64
  • Submitted: 2021-03-02
  • Updated: 2021-03-09
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
tbdUnresolved
Related Reports
Relates :  
JDK-8263002 - Remove CDS MiscCode region
Relates :  
JDK-8231610 - Relocate the CDS archive if it cannot be mapped to the requested address
Description
ADDITIONAL SYSTEM INFORMATION :
Ubuntu Focal with jdk-16+14

A DESCRIPTION OF THE PROBLEM :
The CDS archive is mapped as RWX to a static location (usually 0x800000000) and contains frequently-executed trampolines for CDS methods.  This allows shellcode to be run with only an arbitrary-write vulnerability, whereas if the address was randomised a memory leak would also be required.  Here's a poc using sun.misc.Unsafe to spray a 0xCC (INT3) instruction to the beginning of the CDS region, which is then executed and triggers a SIGTRAP signal:
```
import sun.misc.Unsafe;
import java.lang.reflect.Field;
class demo {
  private static Unsafe getUnsafe() throws IllegalAccessException, NoSuchFieldException {
      Field f = Unsafe.class.getDeclaredField("theUnsafe");
      f.setAccessible(true);
      return (Unsafe) f.get(null);
  }

  public static void main(String argv[]) throws Exception {
    byte opcode = (byte)(0xcc & 0xff);
    for(int i = 0; i < 500; i++) {
       getUnsafe().putByte(0x800000000l + i, opcode);
    }
  }
}
```.
Benchmarks from JDK-8231610 show around an eight-millisecond performance degradation when using a system-chosen (randomised) address and relocating pointers within the CDS archive.  
=====
This could be fixed by making the default behaviour not to use FileMapHeader::_requested_base_address, and behave in the same way as if the SharedBaseAddress (when the archive was dumped) was 0.
Comments
An alternative is JDK-8263002 (Remove CDS MiscCode region). So we won't have a read/write/exec region at a fixed location anymore.
04-03-2021
When creating the CDS archive, you can make it be always mapped at randomized addresses by $ java -Xshare:dump -XX:SharedBaseAddress=0 $ java -Xshare:auto -Xlog:cds:stdout:none -version 2>&1 | grep MiscCode Mapped static region #0 at base 0x00007fb5bb400000 top 0x00007fb5bb403000 (MiscCode) $ java -Xshare:auto -Xlog:cds:stdout:none -version 2>&1 | grep MiscCode Mapped static region #0 at base 0x00007fa983400000 top 0x00007fa983403000 (MiscCode) $ java -Xshare:auto -Xlog:cds:stdout:none -version 2>&1 | grep MiscCode Mapped static region #0 at base 0x00007f311f400000 top 0x00007f311f403000 (MiscCode) $ java -Xshare:auto -Xlog:cds:stdout:none -version 2>&1 | grep MiscCode Mapped static region #0 at base 0x00007fd89b400000 top 0x00007fd89b403000 (MiscCode) $ java -Xshare:auto -Xlog:cds:stdout:none -version 2>&1 | grep MiscCode Mapped static region #0 at base 0x00007f3c5f400000 top 0x00007f3c5f403000 (MiscCode)
03-03-2021
This is an enhancement request. Moving it to dev team for further analysis.
03-03-2021