@@ -23,6 +23,7 @@ PATCHES_URI = "\
file://2009-jdk-make-use-gcc-instead-of-ld-for-genSocketOptionRe.patch \
file://CVE-2022-34169.patch \
file://CVE-2022-21540.patch \
+ file://CVE-2022-21541.patch \
"
HOTSPOT_UB_PATCH = "\
file://1001-hotspot-fix-crash-on-JNI_CreateJavaVM.patch \
new file mode 100644
@@ -0,0 +1,126 @@
+From 632d2d2690ee68b5e2928e8c253ad4b099f31ed9 Mon Sep 17 00:00:00 2001
+From: Tobias Hartmann <thartmann@openjdk.org>
+Date: Wed, 23 Mar 2022 11:55:03 +0000
+Subject: [PATCH] 8281866: Enhance MethodHandle invocations
+
+Co-authored-by: Vladimir Ivanov <vlivanov@openjdk.org>
+Reviewed-by: chagedorn
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+CVE: CVE-2022-21541
+
+Upstream-Status: Backport [https://launchpadlibrarian.net/614309983/openjdk-8_8u342~b06-1_8u342-b07-1.diff.gz]
+---
+Index: openjdk/hotspot/src/share/vm/interpreter/linkResolver.cpp
+===================================================================
+--- a/hotspot/src/share/vm/interpreter/linkResolver.cpp
++++ b/hotspot/src/share/vm/interpreter/linkResolver.cpp
+@@ -1580,22 +1580,41 @@ void LinkResolver::resolve_invokehandle(
+ ResourceMark rm(THREAD);
+ tty->print_cr("resolve_invokehandle %s %s", method_name->as_C_string(), method_signature->as_C_string());
+ }
+- resolve_handle_call(result, resolved_klass, method_name, method_signature, current_klass, CHECK);
++ resolve_handle_call(result, resolved_klass, method_name, method_signature, current_klass, true, CHECK);
+ }
+
+ void LinkResolver::resolve_handle_call(CallInfo& result, KlassHandle resolved_klass,
+ Symbol* method_name, Symbol* method_signature,
+- KlassHandle current_klass,
++ KlassHandle current_klass, bool check_access,
+ TRAPS) {
+ // JSR 292: this must be an implicitly generated method MethodHandle.invokeExact(*...) or similar
+ assert(resolved_klass() == SystemDictionary::MethodHandle_klass(), "");
+ assert(MethodHandles::is_signature_polymorphic_name(method_name), "");
+ methodHandle resolved_method;
+- Handle resolved_appendix;
+- Handle resolved_method_type;
++ Handle resolved_appendix;
++ Handle resolved_method_type;
+ lookup_polymorphic_method(resolved_method, resolved_klass,
+ method_name, method_signature,
+ current_klass, &resolved_appendix, &resolved_method_type, CHECK);
++ if (check_access) {
++ vmIntrinsics::ID iid = MethodHandles::signature_polymorphic_name_id(method_name);
++ if (MethodHandles::is_signature_polymorphic_intrinsic(iid)) {
++ // Check if method can be accessed by the referring class.
++ // MH.linkTo* invocations are not rewritten to invokehandle.
++ assert(iid == vmIntrinsics::_invokeBasic, err_msg("%s", vmIntrinsics::name_at(iid)));
++
++ assert(current_klass.not_null(), "current_klass should not be null");
++ check_method_accessability(current_klass,
++ resolved_klass,
++ resolved_method->method_holder(),
++ resolved_method,
++ CHECK);
++ } else {
++ // Java code is free to arbitrarily link signature-polymorphic invokers.
++ assert(iid == vmIntrinsics::_invokeGeneric, err_msg("not an invoker: %s", vmIntrinsics::name_at(iid)));
++ assert(MethodHandles::is_signature_polymorphic_public_name(resolved_klass(), method_name), "not public");
++ }
++ }
+ result.set_handle(resolved_method, resolved_appendix, resolved_method_type, CHECK);
+ }
+
+Index: openjdk/hotspot/src/share/vm/interpreter/linkResolver.hpp
+===================================================================
+--- a/hotspot/src/share/vm/interpreter/linkResolver.hpp
++++ b/hotspot/src/share/vm/interpreter/linkResolver.hpp
+@@ -179,7 +179,7 @@ class LinkResolver: AllStatic {
+ static void resolve_special_call (CallInfo& result, Handle recv, KlassHandle resolved_klass, Symbol* method_name, Symbol* method_signature, KlassHandle current_klass, bool check_access, TRAPS);
+ static void resolve_virtual_call (CallInfo& result, Handle recv, KlassHandle recv_klass, KlassHandle resolved_klass, Symbol* method_name, Symbol* method_signature, KlassHandle current_klass, bool check_access, bool check_null_and_abstract, TRAPS);
+ static void resolve_interface_call(CallInfo& result, Handle recv, KlassHandle recv_klass, KlassHandle resolved_klass, Symbol* method_name, Symbol* method_signature, KlassHandle current_klass, bool check_access, bool check_null_and_abstract, TRAPS);
+- static void resolve_handle_call (CallInfo& result, KlassHandle resolved_klass, Symbol* method_name, Symbol* method_signature, KlassHandle current_klass, TRAPS);
++ static void resolve_handle_call (CallInfo& result, KlassHandle resolved_klass, Symbol* method_name, Symbol* method_signature, KlassHandle current_klass, bool check_access, TRAPS);
+ static void resolve_dynamic_call (CallInfo& result, Handle bootstrap_specifier, Symbol* method_name, Symbol* method_signature, KlassHandle current_klass, TRAPS);
+
+ // same as above for compile-time resolution; but returns null handle instead of throwing an exception on error
+Index: openjdk/hotspot/src/share/vm/prims/methodHandles.cpp
+===================================================================
+--- a/hotspot/src/share/vm/prims/methodHandles.cpp
++++ b/hotspot/src/share/vm/prims/methodHandles.cpp
+@@ -389,6 +389,24 @@ vmIntrinsics::ID MethodHandles::signatur
+ return vmIntrinsics::_none;
+ }
+
++// Returns true if method is signature polymorphic and public
++bool MethodHandles::is_signature_polymorphic_public_name(Klass* klass, Symbol* name) {
++ if (is_signature_polymorphic_name(klass, name)) {
++ InstanceKlass* iklass = InstanceKlass::cast(klass);
++ int me;
++ int ms = iklass->find_method_by_name(name, &me);
++ assert(ms != -1, "");
++ for (; ms < me; ms++) {
++ Method* m = iklass->methods()->at(ms);
++ int required = JVM_ACC_NATIVE | JVM_ACC_VARARGS | JVM_ACC_PUBLIC;
++ int flags = m->access_flags().as_int();
++ if ((flags & required) == required && ArgumentCount(m->signature()).size() == 1) {
++ return true;
++ }
++ }
++ }
++ return false;
++}
+
+ // convert the external string or reflective type to an internal signature
+ Symbol* MethodHandles::lookup_signature(oop type_str, bool intern_if_not_found, TRAPS) {
+@@ -672,7 +690,7 @@ Handle MethodHandles::resolve_MemberName
+ } else if (mh_invoke_id != vmIntrinsics::_none) {
+ assert(!is_signature_polymorphic_static(mh_invoke_id), "");
+ LinkResolver::resolve_handle_call(result,
+- defc, name, type, caller, THREAD);
++ defc, name, type, caller, caller.not_null(), THREAD);
+ } else if (ref_kind == JVM_REF_invokeSpecial) {
+ LinkResolver::resolve_special_call(result,
+ Handle(), defc, name, type, caller, caller.not_null(), THREAD);
+Index: openjdk/hotspot/src/share/vm/prims/methodHandles.hpp
+===================================================================
+--- a/hotspot/src/share/vm/prims/methodHandles.hpp
++++ b/hotspot/src/share/vm/prims/methodHandles.hpp
+@@ -124,6 +124,7 @@ class MethodHandles: AllStatic {
+ static bool is_signature_polymorphic_name(Klass* klass, Symbol* name) {
+ return signature_polymorphic_name_id(klass, name) != vmIntrinsics::_none;
+ }
++ static bool is_signature_polymorphic_public_name(Klass* klass, Symbol* name);
+
+ enum {
+ // format of query to getConstant: