Fix potential security exploit in generated Java classes

author: William S Fulton <wsf@fultondesigns.co.uk> 2015-08-01 08:01:06 +0100
committer: William S Fulton <wsf@fultondesigns.co.uk> 2015-08-02 11:22:46 +0100
commit: a1771cb8a0cbba65ffd07bee96a2cb41a9f112fd (patch)
tree: 4a21b09bf99b4747f49c7c59a56ebe3142861dff
parent: 130834aac260a7b987f1acf5aaf4f9b2209b39cd (diff)
download: swig-a1771cb8a0cbba65ffd07bee96a2cb41a9f112fd.tar.gz
7 files changed, 42 insertions, 27 deletions
diff --git a/CHANGES.current b/CHANGES.current
index 61b461b6b..33ad11630 100644
--- a/CHANGES.current
+++ b/CHANGES.current
@@ -5,6 +5,21 @@ See the RELEASENOTES file for a summary of changes in each release.
 Version 3.0.7 (in progress)
 ===========================
 
+2015-08-02: wsfulton
+            [Java] Fix potential security exploit in generated Java classes.
+            The swigCPtr and swigCMemOwn member variables in the generated Java
+            classes are now declared 'transient' by default. Further details of the exploit
+            in Android is being published in an academic paper as part of USENIX WOOT '15:
+            https://www.usenix.org/conference/woot15/workshop-program/presentation/peles.
+
+            In the unlikely event that you are relying on these members being serializable,
+            then you will need to override the default javabody and javabody_derived typemaps
+            to generate the old generated code. The relevant typemaps are in the Lib directory
+            in the java.swg, boost_shared_ptr.i and boost_intrusive_ptr.i files. Copy the
+            relevant default typemaps into your interface file and remove the 'transient' keyword.
+
+            *** POTENTIAL INCOMPATIBILITY ***
+
 2015-07-30: wsfulton
             Fix #440 - Initialise all newly created arrays when using %array_functions and %array_class
             in the carrays.i library - bug is only relevant when using C++.
diff --git a/Doc/Manual/Java.html b/Doc/Manual/Java.html
index 3a4f7ee5d..9d5c447f7 100644
--- a/Doc/Manual/Java.html
+++ b/Doc/Manual/Java.html
@@ -2390,8 +2390,8 @@ The default proxy class for our previous example looks like this:
 <div class="code">
 <pre>
 public class Foo {
-  private long swigCPtr;
-  protected boolean swigCMemOwn;
+  private transient long swigCPtr;
+  protected transient boolean swigCMemOwn;
 
   protected Foo(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
@@ -2641,8 +2641,8 @@ The base class is generated much like any other proxy class seen so far:
 
 <div class="code"><pre>
 public class Base {
-  private long swigCPtr;
-  protected boolean swigCMemOwn;
+  private transient long swigCPtr;
+  protected transient boolean swigCMemOwn;
 
   protected Base(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
@@ -2682,7 +2682,7 @@ The <tt>Derived</tt> class extends <tt>Base</tt> mirroring the C++ class inherit
 
 <div class="code"><pre>
 public class Derived extends Base {
-  private long swigCPtr;
+  private transient long swigCPtr;
 
   protected Derived(long cPtr, boolean cMemoryOwn) {
     super(exampleJNI.SWIGDerivedUpcast(cPtr), cMemoryOwn);
@@ -2960,8 +2960,8 @@ and the Java proxy class generated by SWIG:
 
 <div class="code"><pre>
 public class Test {
-  private long swigCPtr;
-  protected boolean swigCMemOwn;
+  private transient long swigCPtr;
+  protected transient boolean swigCMemOwn;
 
   protected Test(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
@@ -3034,7 +3034,7 @@ The generated type wrapper class, for say an <tt>int *</tt>, looks like this:
 
 <div class="code"><pre>
 public class SWIGTYPE_p_int {
-  private long swigCPtr;
+  private transient long swigCPtr;
 
   protected SWIGTYPE_p_int(long cPtr, boolean bFutureUse) {
     swigCPtr = cPtr;
@@ -5900,8 +5900,8 @@ If you are invoking SWIG more than once and generating the wrapped classes into
 <div class="code">
 <pre>
 %typemap(javabody) SWIGTYPE %{
-  private long swigCPtr;
-  protected boolean swigCMemOwn;
+  private transient long swigCPtr;
+  protected transient boolean swigCMemOwn;
 
   protected $javaclassname(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
@@ -5929,7 +5929,7 @@ For the typemap to be used in all type wrapper classes, all the different types
 <div class="code">
 <pre>
 %typemap(javabody) SWIGTYPE *, SWIGTYPE &amp;, SWIGTYPE [], SWIGTYPE (CLASS::*) %{
-  private long swigCPtr;
+  private transient long swigCPtr;
 
   protected $javaclassname(long cPtr, boolean bFutureUse) {
     swigCPtr = cPtr;
diff --git a/Examples/test-suite/java_typemaps_proxy.i b/Examples/test-suite/java_typemaps_proxy.i
index e315a36b5..3e9b18335 100644
--- a/Examples/test-suite/java_typemaps_proxy.i
+++ b/Examples/test-suite/java_typemaps_proxy.i
@@ -31,8 +31,8 @@ import java.lang.*; // for Exception
 
 // Create a new getCPtr() function which takes Java null and is public
 %typemap(javabody) NS::Greeting %{
-  private long swigCPtr;
-  protected boolean swigCMemOwn;
+  private transient long swigCPtr;
+  protected transient boolean swigCMemOwn;
 
   protected $javaclassname(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
@@ -46,8 +46,8 @@ import java.lang.*; // for Exception
 
 // Make the pointer constructor public
 %typemap(javabody) NS::Farewell %{
-  private long swigCPtr;
-  protected boolean swigCMemOwn;
+  private transient long swigCPtr;
+  protected transient boolean swigCMemOwn;
 
   public $javaclassname(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
diff --git a/Examples/test-suite/java_typemaps_typewrapper.i b/Examples/test-suite/java_typemaps_typewrapper.i
index a99ca7b65..b7bf847ef 100644
--- a/Examples/test-suite/java_typemaps_typewrapper.i
+++ b/Examples/test-suite/java_typemaps_typewrapper.i
@@ -39,7 +39,7 @@ import java.lang.*; // for Exception
 // Create a new getCPtr() function which takes Java null and is public
 // Make the pointer constructor public
 %typemap(javabody) Farewell * %{
-  private long swigCPtr;
+  private transient long swigCPtr;
 
   public $javaclassname(long cPtr, boolean bFutureUse) {
     swigCPtr = cPtr;
diff --git a/Lib/java/boost_intrusive_ptr.i b/Lib/java/boost_intrusive_ptr.i
index f9525894f..1d8fa7445 100644
--- a/Lib/java/boost_intrusive_ptr.i
+++ b/Lib/java/boost_intrusive_ptr.i
@@ -263,7 +263,7 @@
 
 // Base proxy classes
 %typemap(javabody) TYPE %{
-  private long swigCPtr;
+  private transient long swigCPtr;
   private boolean swigCMemOwnBase;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
@@ -278,7 +278,7 @@
 
 // Derived proxy classes
 %typemap(javabody_derived) TYPE %{
-  private long swigCPtr;
+  private transient long swigCPtr;
   private boolean swigCMemOwnDerived;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
@@ -413,7 +413,7 @@
 
 // Base proxy classes
 %typemap(javabody) TYPE %{
-  private long swigCPtr;
+  private transient long swigCPtr;
   private boolean swigCMemOwnBase;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
@@ -428,7 +428,7 @@
 
 // Derived proxy classes
 %typemap(javabody_derived) TYPE %{
-  private long swigCPtr;
+  private transient long swigCPtr;
   private boolean swigCMemOwnDerived;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
diff --git a/Lib/java/boost_shared_ptr.i b/Lib/java/boost_shared_ptr.i
index e75236993..136570da5 100644
--- a/Lib/java/boost_shared_ptr.i
+++ b/Lib/java/boost_shared_ptr.i
@@ -145,8 +145,8 @@
 
 // Base proxy classes
 %typemap(javabody) TYPE %{
-  private long swigCPtr;
-  private boolean swigCMemOwn;
+  private transient long swigCPtr;
+  private transient boolean swigCMemOwn;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
@@ -160,7 +160,7 @@
 
 // Derived proxy classes
 %typemap(javabody_derived) TYPE %{
-  private long swigCPtr;
+  private transient long swigCPtr;
   private boolean swigCMemOwnDerived;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
diff --git a/Lib/java/java.swg b/Lib/java/java.swg
index 22a4884ef..2e106796c 100644
--- a/Lib/java/java.swg
+++ b/Lib/java/java.swg
@@ -1148,8 +1148,8 @@ SWIGINTERN const char * SWIG_UnpackData(const char *c, void *ptr, size_t sz) {
 %define SWIG_JAVABODY_PROXY(PTRCTOR_VISIBILITY, CPTR_VISIBILITY, TYPE...)
 // Base proxy classes
 %typemap(javabody) TYPE %{
-  private long swigCPtr;
-  protected boolean swigCMemOwn;
+  private transient long swigCPtr;
+  protected transient boolean swigCMemOwn;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
     swigCMemOwn = cMemoryOwn;
@@ -1163,7 +1163,7 @@ SWIGINTERN const char * SWIG_UnpackData(const char *c, void *ptr, size_t sz) {
 
 // Derived proxy classes
 %typemap(javabody_derived) TYPE %{
-  private long swigCPtr;
+  private transient long swigCPtr;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, boolean cMemoryOwn) {
     super($imclassname.$javaclazznameSWIGUpcast(cPtr), cMemoryOwn);
@@ -1179,7 +1179,7 @@ SWIGINTERN const char * SWIG_UnpackData(const char *c, void *ptr, size_t sz) {
 %define SWIG_JAVABODY_TYPEWRAPPER(PTRCTOR_VISIBILITY, DEFAULTCTOR_VISIBILITY, CPTR_VISIBILITY, TYPE...)
 // Typewrapper classes
 %typemap(javabody) TYPE *, TYPE &, TYPE &&, TYPE [] %{
-  private long swigCPtr;
+  private transient long swigCPtr;
 
   PTRCTOR_VISIBILITY $javaclassname(long cPtr, @SuppressWarnings("unused") boolean futureUse) {
     swigCPtr = cPtr;
author	William S Fulton <wsf@fultondesigns.co.uk>	2015-08-01 08:01:06 +0100
committer	William S Fulton <wsf@fultondesigns.co.uk>	2015-08-02 11:22:46 +0100
commit	a1771cb8a0cbba65ffd07bee96a2cb41a9f112fd (patch)
tree	4a21b09bf99b4747f49c7c59a56ebe3142861dff
parent	130834aac260a7b987f1acf5aaf4f9b2209b39cd (diff)
download	swig-a1771cb8a0cbba65ffd07bee96a2cb41a9f112fd.tar.gz