Headline
CVE-2022-3676: Stop devirtualizing interface calls in preexistence by jdmpapin · Pull Request #6773 · eclipse/omr
In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of this inlining to access or modify memory via an incompatible type.
Previously, it was possible for the JIT to devirtualize an interface call, and for execution to reach the call (whether inlined or not) with a receiver that is not an instance of the class expected by the implementing method. The callee could then access fields of the receiver as though it were of the expected type.
The conditionals added in this commit still allow (on their own) for an interface call to be devirtualized when preexistence has already proven that the receiver is an instance of some particular class that implements the expected interface. However, preexistence currently fails to devirtualize in that situation. It passes the class to TR_PersistentCHTable::findSingleInterfaceImplementer(), which needs the interface. This can be improved in the future by having preexistence treat the call in the same way as a non-interface call, but with the added requirement that the devirtualized callee must be public.