New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Buffer overflow in pif_process #122
Comments
The man the myth the legend strikes again |
meeq
added a commit
to meeq/cen64
that referenced
this issue
Jul 22, 2021
sp1187
pushed a commit
that referenced
this issue
Jul 25, 2021
Should be fixed by #206. |
rasky
pushed a commit
to rasky/cen64
that referenced
this issue
May 28, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Reading SI DMA triggers execution of PIF command buffer (64 bytes controlled by game after DMAing into PIF RAM (
0xBFC007C0
)):cen64/si/controller.c
Line 356 in 57209ee
This is handled by
pif_process
function.PIF command buffer uses 2 sizes which are 8-bit (more info: http://en64.shoutwiki.com/wiki/SI_Registers_Detailed), these are the number of bytes requesting to send and receive (
send_bytes
,recv_bytes
).pif_process
passes these sizes tomemcpy
calls, with source and destination being PIF buffers (64 bytes), so buffer overflow will occur if sizes are greater than 64.cen64/si/controller.c
Line 229 in 57209ee
Depending on which size you use to overflow, you can trigger either stack buffer overflow:
Or overflow from stack into SI registers, which are fully readable by the game:
cen64/si/controller.h
Line 39 in 72c778c
This means an attacker can both leak and corrupt stack memory. This type of "2 way heap/stack overflow" is very similar to
SETFKEY
FreeBSD kernel bug I exploited a couple of years ago (https://cturt.github.io/SETFKEY.html), and should be sufficient to fully exploit from emulator -> native code execution.I don't have symbols because I didn't build from source - but I'm reproing write AV from inlined
memcpy
on latest Windows release:The text was updated successfully, but these errors were encountered: