Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix out-of-bounds memory accesses #35

Merged
merged 1 commit into from Jun 23, 2022
Merged

Conversation

DavidBuchanan314
Copy link
Contributor

@DavidBuchanan314 DavidBuchanan314 commented Jun 23, 2022

If I ends up greater than 0xfff, then the memory array can be indexed out-of-bounds (e.g. repeated use of the ADD I, Vx instruction). This is a security vulnerability. A malicious ROM can leverage this to escape the emulator, and execute arbitrary native code on the host system.

I noticed this comment in cpu.h:

chip8/src/lib8/cpu.h

Lines 49 to 54 in d952e57

/**
* This is the maximum amount of memory addressable by the machine.
* It should be used as a bitmask when overflows could possibly happen
* due to memory address management.
*/
#define ADDRESS_MASK 0xFFF

However, this ADDRESS_MASK constant is never used anywhere! So, I used it to add masking to all memory reads and writes, fixing the vulnerability.

@danirod
Copy link
Owner

danirod commented Jun 23, 2022

That is true, good caught, thanks.

@danirod danirod merged commit 1fc1679 into danirod:devel Jun 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants