From a1771cb8a0cbba65ffd07bee96a2cb41a9f112fd Mon Sep 17 00:00:00 2001 From: William S Fulton Date: Sat, 1 Aug 2015 08:01:06 +0100 Subject: [PATCH] Fix potential security exploit in generated Java classes --- CHANGES.current | 15 +++++++++++++ Doc/Manual/Java.html | 22 +++++++++---------- Examples/test-suite/java_typemaps_proxy.i | 8 +++---- .../test-suite/java_typemaps_typewrapper.i | 2 +- Lib/java/boost_intrusive_ptr.i | 8 +++---- Lib/java/boost_shared_ptr.i | 6 ++--- Lib/java/java.swg | 8 +++---- 7 files changed, 42 insertions(+), 27 deletions(-) diff --git a/CHANGES.current b/CHANGES.current index 61b461b6b..33ad11630 100644 --- a/CHANGES.current +++ b/CHANGES.current @@ -5,6 +5,21 @@ See the RELEASENOTES file for a summary of changes in each release. Version 3.0.7 (in progress) =========================== +2015-08-02: wsfulton + [Java] Fix potential security exploit in generated Java classes. + The swigCPtr and swigCMemOwn member variables in the generated Java + classes are now declared 'transient' by default. Further details of the exploit + in Android is being published in an academic paper as part of USENIX WOOT '15: + https://www.usenix.org/conference/woot15/workshop-program/presentation/peles. + + In the unlikely event that you are relying on these members being serializable, + then you will need to override the default javabody and javabody_derived typemaps + to generate the old generated code. The relevant typemaps are in the Lib directory + in the java.swg, boost_shared_ptr.i and boost_intrusive_ptr.i files. Copy the + relevant default typemaps into your interface file and remove the 'transient' keyword. + + *** POTENTIAL INCOMPATIBILITY *** + 2015-07-30: wsfulton Fix #440 - Initialise all newly created arrays when using %array_functions and %array_class in the carrays.i library - bug is only relevant when using C++. diff --git a/Doc/Manual/Java.html b/Doc/Manual/Java.html index 3a4f7ee5d..9d5c447f7 100644 --- a/Doc/Manual/Java.html +++ b/Doc/Manual/Java.html @@ -2390,8 +2390,8 @@ The default proxy class for our previous example looks like this: 
 public class Foo {
-  private long swigCPtr;
-  protected boolean swigCMemOwn;
+  private transient long swigCPtr;
+  protected transient boolean swigCMemOwn;
 
   protected Foo(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
@@ -2641,8 +2641,8 @@ The base class is generated much like any other proxy class seen so far:
 
 
 public class Base {
-  private long swigCPtr;
-  protected boolean swigCMemOwn;
+  private transient long swigCPtr;
+  protected transient boolean swigCMemOwn;
 
   protected Base(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
@@ -2682,7 +2682,7 @@ The Derived class extends Base mirroring the C++ class inherit
 
 
 public class Derived extends Base {
-  private long swigCPtr;
+  private transient long swigCPtr;
 
   protected Derived(long cPtr, boolean cMemoryOwn) {
     super(exampleJNI.SWIGDerivedUpcast(cPtr), cMemoryOwn);
@@ -2960,8 +2960,8 @@ and the Java proxy class generated by SWIG:
 
 
 public class Test {
-  private long swigCPtr;
-  protected boolean swigCMemOwn;
+  private transient long swigCPtr;
+  protected transient boolean swigCMemOwn;
 
   protected Test(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
@@ -3034,7 +3034,7 @@ The generated type wrapper class, for say an int *, looks like this:
 
 
 public class SWIGTYPE_p_int {
-  private long swigCPtr;
+  private transient long swigCPtr;
 
   protected SWIGTYPE_p_int(long cPtr, boolean bFutureUse) {
     swigCPtr = cPtr;
@@ -5900,8 +5900,8 @@ If you are invoking SWIG more than once and generating the wrapped classes into
 

 
 %typemap(javabody) SWIGTYPE %{
-  private long swigCPtr;
-  protected boolean swigCMemOwn;
+  private transient long swigCPtr;
+  protected transient boolean swigCMemOwn;
 
   protected $javaclassname(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
@@ -5929,7 +5929,7 @@ For the typemap to be used in all type wrapper classes, all the different types
 

 
 %typemap(javabody) SWIGTYPE *, SWIGTYPE &, SWIGTYPE [], SWIGTYPE (CLASS::*) %{
-  private long swigCPtr;
+  private transient long swigCPtr;
 
   protected $javaclassname(long cPtr, boolean bFutureUse) {
     swigCPtr = cPtr;
diff --git a/Examples/test-suite/java_typemaps_proxy.i b/Examples/test-suite/java_typemaps_proxy.i
index e315a36b5..3e9b18335 100644
--- a/Examples/test-suite/java_typemaps_proxy.i
+++ b/Examples/test-suite/java_typemaps_proxy.i
@@ -31,8 +31,8 @@ import java.lang.*; // for Exception
 
 // Create a new getCPtr() function which takes Java null and is public
 %typemap(javabody) NS::Greeting %{
-  private long swigCPtr;
-  protected boolean swigCMemOwn;
+  private transient long swigCPtr;
+  protected transient boolean swigCMemOwn;
 
   protected $javaclassname(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
@@ -46,8 +46,8 @@ import java.lang.*; // for Exception
 
 // Make the pointer constructor public
 %typemap(javabody) NS::Farewell %{
-  private long swigCPtr;
-  protected boolean swigCMemOwn;
+  private transient long swigCPtr;
+  protected transient boolean swigCMemOwn;
 
   public $javaclassname(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
diff --git a/Examples/test-suite/java_typemaps_typewrapper.i b/Examples/test-suite/java_typemaps_typewrapper.i
index a99ca7b65..b7bf847ef 100644
--- a/Examples/test-suite/java_typemaps_typewrapper.i
+++ b/Examples/test-suite/java_typemaps_typewrapper.i
@@ -39,7 +39,7 @@ import java.lang.*; // for Exception
 // Create a new getCPtr() function which takes Java null and is public
 // Make the pointer constructor public
 %typemap(javabody) Farewell * %{
-  private long swigCPtr;
+  private transient long swigCPtr;
 
   public $javaclassname(long cPtr, boolean bFutureUse) {
     swigCPtr = cPtr;
diff --git a/Lib/java/boost_intrusive_ptr.i b/Lib/java/boost_intrusive_ptr.i
index f9525894f..1d8fa7445 100644
--- a/Lib/java/boost_intrusive_ptr.i
+++ b/Lib/java/boost_intrusive_ptr.i
@@ -263,7 +263,7 @@
 
 // Base proxy classes
 %typemap(javabody) TYPE %{
-  private long swigCPtr;
+  private transient long swigCPtr;
   private boolean swigCMemOwnBase;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
@@ -278,7 +278,7 @@
 
 // Derived proxy classes
 %typemap(javabody_derived) TYPE %{
-  private long swigCPtr;
+  private transient long swigCPtr;
   private boolean swigCMemOwnDerived;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
@@ -413,7 +413,7 @@
 
 // Base proxy classes
 %typemap(javabody) TYPE %{
-  private long swigCPtr;
+  private transient long swigCPtr;
   private boolean swigCMemOwnBase;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
@@ -428,7 +428,7 @@
 
 // Derived proxy classes
 %typemap(javabody_derived) TYPE %{
-  private long swigCPtr;
+  private transient long swigCPtr;
   private boolean swigCMemOwnDerived;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
diff --git a/Lib/java/boost_shared_ptr.i b/Lib/java/boost_shared_ptr.i
index e75236993..136570da5 100644
--- a/Lib/java/boost_shared_ptr.i
+++ b/Lib/java/boost_shared_ptr.i
@@ -145,8 +145,8 @@
 
 // Base proxy classes
 %typemap(javabody) TYPE %{
-  private long swigCPtr;
-  private boolean swigCMemOwn;
+  private transient long swigCPtr;
+  private transient boolean swigCMemOwn;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
@@ -160,7 +160,7 @@
 
 // Derived proxy classes
 %typemap(javabody_derived) TYPE %{
-  private long swigCPtr;
+  private transient long swigCPtr;
   private boolean swigCMemOwnDerived;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
diff --git a/Lib/java/java.swg b/Lib/java/java.swg
index 22a4884ef..2e106796c 100644
--- a/Lib/java/java.swg
+++ b/Lib/java/java.swg
@@ -1148,8 +1148,8 @@ SWIGINTERN const char * SWIG_UnpackData(const char *c, void *ptr, size_t sz) {
 %define SWIG_JAVABODY_PROXY(PTRCTOR_VISIBILITY, CPTR_VISIBILITY, TYPE...)
 // Base proxy classes
 %typemap(javabody) TYPE %{
-  private long swigCPtr;
-  protected boolean swigCMemOwn;
+  private transient long swigCPtr;
+  protected transient boolean swigCMemOwn;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
@@ -1163,7 +1163,7 @@ SWIGINTERN const char * SWIG_UnpackData(const char *c, void *ptr, size_t sz) {
 
 // Derived proxy classes
 %typemap(javabody_derived) TYPE %{
-  private long swigCPtr;
+  private transient long swigCPtr;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
     super($imclassname.$javaclazznameSWIGUpcast(cPtr), cMemoryOwn);
@@ -1179,7 +1179,7 @@ SWIGINTERN const char * SWIG_UnpackData(const char *c, void *ptr, size_t sz) {
 %define SWIG_JAVABODY_TYPEWRAPPER(PTRCTOR_VISIBILITY, DEFAULTCTOR_VISIBILITY, CPTR_VISIBILITY, TYPE...)
 // Typewrapper classes
 %typemap(javabody) TYPE *, TYPE &, TYPE &&, TYPE [] %{
-  private long swigCPtr;
+  private transient long swigCPtr;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, @SuppressWarnings("unused") boolean futureUse) {
     swigCPtr = cPtr;