Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix out-of-bounds memory accesses #35

Merged
merged 1 commit into from Jun 23, 2022
Merged

Fix out-of-bounds memory accesses #35

merged 1 commit into from Jun 23, 2022

Conversation

DavidBuchanan314
Copy link
Contributor

@DavidBuchanan314 DavidBuchanan314 commented Jun 23, 2022
edited

If I ends up greater than 0xfff, then the memory array can be indexed out-of-bounds (e.g. repeated use of the ADD I, Vx instruction). This is a security vulnerability. A malicious ROM can leverage this to escape the emulator, and execute arbitrary native code on the host system.

I noticed this comment in cpu.h:

chip8/src/lib8/cpu.h

Lines 49 to 54 in d952e57

/**
* This is the maximum amount of memory addressable by the machine.
* It should be used as a bitmask when overflows could possibly happen
* due to memory address management.
*/
#define ADDRESS_MASK 0xFFF

However, this ADDRESS_MASK constant is never used anywhere! So, I used it to add masking to all memory reads and writes, fixing the vulnerability.

@danirod
Copy link
Owner

danirod commented Jun 23, 2022

That is true, good caught, thanks.

@danirod danirod merged commit 1fc1679 into danirod:devel Jun 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danirod danirod danirod approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@DavidBuchanan314 @danirod