Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buffer overflow in pif_process #122

Closed
CTurt opened this issue May 9, 2019 · 2 comments
Closed

Buffer overflow in pif_process #122

CTurt opened this issue May 9, 2019 · 2 comments

Comments

@CTurt
Copy link

CTurt commented May 9, 2019
edited

Reading SI DMA triggers execution of PIF command buffer (64 bytes controlled by game after DMAing into PIF RAM (0xBFC007C0)):

cen64/si/controller.c

Line 356 in 57209ee

pif_process(si);

This is handled by pif_process function.

PIF command buffer uses 2 sizes which are 8-bit (more info: http://en64.shoutwiki.com/wiki/SI_Registers_Detailed), these are the number of bytes requesting to send and receive (send_bytes, recv_bytes).

pif_process passes these sizes to memcpy calls, with source and destination being PIF buffers (64 bytes), so buffer overflow will occur if sizes are greater than 64.

cen64/si/controller.c

Line 229 in 57209ee

int8_t send_bytes = si->command[ptr++];

Depending on which size you use to overflow, you can trigger either stack buffer overflow:

uint8_t send_buf[0x40];
....
memcpy(send_buf, si->command + ptr, send_bytes);

Or overflow from stack into SI registers, which are fully readable by the game:

uint8_t recv_buf[0x40];
...
memcpy(si->ram + ptr, recv_buf, recv_bytes);

cen64/si/controller.h

Line 39 in 72c778c

uint8_t ram[64]; 

struct si_controller {
...
  uint8_t command[64];
  uint8_t ram[64];
  uint32_t regs[NUM_SI_REGISTERS];

This means an attacker can both leak and corrupt stack memory. This type of "2 way heap/stack overflow" is very similar to SETFKEY FreeBSD kernel bug I exploited a couple of years ago (https://cturt.github.io/SETFKEY.html), and should be sufficient to fully exploit from emulator -> native code execution.

I don't have symbols because I didn't build from source - but I'm reproing write AV from inlined memcpy on latest Windows release:

(2bf8.2a2c): Access violation - code c0000005 (!!! second chance !!!)
cen64_windows_x86_64+0x3b921:
00000000`0043b921 488910          mov     qword ptr [rax],rdx ds:00000000`22e78500=????????????????
0:008> k
 # Child-SP          RetAddr           Call Site
00 00000000`0e95fc10 00000000`0044108b cen64_windows_x86_64+0x3b921
01 00000000`0e95fd30 00000000`00442431 cen64_windows_x86_64+0x4108b
02 00000000`0e95fdb0 00000000`0043dc3b cen64_windows_x86_64+0x42431
03 00000000`0e95fe20 00000000`0043e35e cen64_windows_x86_64+0x3dc3b
04 00000000`0e95fe90 00000000`0043cd69 cen64_windows_x86_64+0x3e35e
05 00000000`0e95ff00 00007ff8`51337974 cen64_windows_x86_64+0x3cd69
06 00000000`0e95ff30 00007ff8`518fa271 KERNEL32!BaseThreadInitThunk+0x14
07 00000000`0e95ff60 00000000`00000000 ntdll!RtlUserThreadStart+0x21
@ChampionLeake
Copy link

The man the myth the legend strikes again

meeq added a commit to meeq/cen64 that referenced this issue Jul 22, 2021
@meeq
Fix buffer overflow vulnerability in pif_process
5a1dc92 
n64dev#122
@meeq meeq mentioned this issue Jul 22, 2021
Merged
sp1187 pushed a commit that referenced this issue Jul 25, 2021
@meeq @sp1187
Fix buffer overflow vulnerability in pif_process
202d235 
#122
@sp1187
Copy link
Member

sp1187 commented Jul 25, 2021

Should be fixed by #206.

@sp1187 sp1187 closed this as completed Jul 25, 2021
rasky pushed a commit to rasky/cen64 that referenced this issue May 28, 2022
@meeq @rasky
Fix buffer overflow vulnerability in pif_process
dcd2c40 
n64dev#122
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sp1187 @CTurt @ChampionLeake