David Eisner wrote:
Wall, Kevin wrote:
same intuition about the verifier, but have just tested
this and it is not the case. It seems that the -noverify is the
default setting! If you want to verify classes loaded from the local
filesystem, then you need to explicitly add -verify to the cmd line.
Is this (still) true? The -verify and -noverify flag are no longer
documented [1], although they are still accepted.
Yes it is still true (see my last email on this thread)
I did a little experiment (with my default 1.5 VM). I compiled a
HelloWorld program, then changed a few byes in the class file with a hex
editor.
By doing this this (unless you were very lucky in your changes) you
will either create an invalid Java bytecode instruction, or will
corrupt the .class file
So the errors you are getting below don't look like verifier errors
(although I can't really explain why the --noverify throws a different
error).
Can you try to disassemble this corrupted class so see if we can get
more details about where the bytecode error is
Thanks
Dinis Cruz
Owasp .Net Project
www.owasp.net
-----8<----------
$ java -cp . HelloWorld
Exception in thread "main" java.lang.ClassFormatError: Interface name
has bad constant pool index 13056 in class file HelloWorld
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:620)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
at java.net.URLClassLoader.access$100(URLClassLoader.java:56)
at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:268)
at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
$ java -cp . -verify HelloWorld
Exception in thread "main" java.lang.ClassFormatError: Interface name
has bad constant pool index 13056 in class file HelloWorld
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:620)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
at java.net.URLClassLoader.access$100(URLClassLoader.java:56)
at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:268)
at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
$ java -cp . -noverify HelloWorld
#
# An unexpected error has been detected by HotSpot Virtual Machine:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x6d7415fb, pid=3512,
tid=2260
#
# Java VM: Java HotSpot(TM) Client VM (1.5.0_06-b05 mixed mode)
# Problematic frame:
# V [jvm.dll+0x615fb]
#
# An error report file with more information is saved as hs_err_pid3512.log
#
# If you would like to submit a bug report, please visit:
# http://java.sun.com/webapps/bugreport/crash.jsp
#
-----8<----------
-David
[1] http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/java.html
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
|
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
