Skip to content

Commit

Permalink
CDVDFSV: Fixed pointer incorrectly getting incremented, when alignmen…
Browse files Browse the repository at this point in the history 
…t correction is performed.

This resulted in the buffer getting overrun, causing memory corruption.
  • Loading branch information
@sp193
sp193 committed Feb 24, 2019
1 parent 71993a8 commit cd100a2
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 9 deletions.
10 changes: 4 additions & 6 deletions modules/iopcore/cdvdfsv/cdvdfsv.c
View file
Expand Up @@ -784,7 +784,6 @@ static inline void cdvd_readee(void *buf)
u8 curlsn_buf[16];
u32 nbytes, nsectors, sectors_to_read, size_64b, size_64bb, bytesent, temp;
int sector_size, flag_64b, fsverror;
void *fsvRbuf = (void *)cdvdfsv_buf;
void *eeaddr_64b, *eeaddr2_64b;
cdvdfsv_readee_t readee;
RpcCdvd_t *r = (RpcCdvd_t *)buf;
Expand Down Expand Up @@ -828,7 +827,6 @@ static inline void cdvd_readee(void *buf)
temp -= (u32)eeaddr2_64b;
readee.pdst2 = eeaddr2_64b; // get the end address on a 64 bytes align
readee.b2len = temp; // get bytes remainder at end of 64 bytes align
fsvRbuf += temp;

if (readee.b1len)
flag_64b = 0; // 64 bytes alignment flag
Expand Down Expand Up @@ -866,7 +864,7 @@ static inline void cdvd_readee(void *buf)
temp = nsectors;
}

if (sceCdRead(r->lsn, temp, (void *)fsvRbuf, NULL) == 0) {
if (sceCdRead(r->lsn, temp, (void *)cdvdfsv_buf, NULL) == 0) {
if (sceCdGetError() == CDVD_ERR_NO) {
fsverror = CDVD_ERR_READCF;
sceCdSC(CDSC_SET_ERROR, &fsverror);
Expand All @@ -882,14 +880,14 @@ static inline void cdvd_readee(void *buf)

if (!flag_64b) {
if (sectors_to_read == r->sectors) // check that was the first read. Data read will be skewed by readee.b1len bytes into the adjacent sector.
mips_memcpy((void *)readee.buf1, (void *)fsvRbuf, readee.b1len);
mips_memcpy((void *)readee.buf1, (void *)cdvdfsv_buf, readee.b1len);

if ((sectors_to_read == nsectors) && (readee.b1len)) // For the last sector read.
size_64bb = size_64b - 64;
}

if (size_64bb > 0) {
sysmemSendEE((void *)(fsvRbuf + readee.b1len), (void *)eeaddr_64b, size_64bb);
sysmemSendEE((void *)(cdvdfsv_buf + readee.b1len), (void *)eeaddr_64b, size_64bb);
bytesent += size_64bb;
}

Expand All @@ -903,7 +901,7 @@ static inline void cdvd_readee(void *buf)
} while ((flag_64b) || (sectors_to_read));

//At the very last pass, copy readee.b2len bytes from the last sector, to complete the alignment correction.
mips_memcpy((void *)readee.buf2, (void *)(fsvRbuf + size_64b - readee.b2len), readee.b2len);
mips_memcpy((void *)readee.buf2, (void *)(cdvdfsv_buf + size_64b - readee.b2len), readee.b2len);
}

*(int *)buf = bytesent;
Expand Down
4 changes: 1 addition & 3 deletions modules/iopcore/cdvdman/cdvdman.c
View file
Expand Up @@ -210,9 +210,7 @@ static iop_sys_clock_t gCallbackSysClock;
// buffers
#define CDVDMAN_BUF_SECTORS 2
static u8 cdvdman_buf[CDVDMAN_BUF_SECTORS * 2048];

#define CDVDMAN_FS_BUFSIZE CDVDMAN_FS_SECTORS * 2048
static u8 cdvdman_fs_buf[CDVDMAN_FS_BUFSIZE];
static u8 cdvdman_fs_buf[CDVDMAN_FS_SECTORS * 2048];

#define CDVDMAN_MODULE_VERSION 0x225
static int cdvdman_debug_print_flag = 0;
Expand Down

3 comments on commit cd100a2

@rickgaiser
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sp193 This commit seems to cause an issues with Gitaroo Man (and perhaps more games). This commit seems to fix a buffer overrun issue. It looks like the overrun is 63 bytes maximum. Is this correct? Wouldn't it make more sense to make cdvdman_fs_buf 64 bytes larger and revert the rest of this commit?

@TnA-Plastic
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch!

@sp193
Copy link
Contributor Author

@sp193 sp193 commented on cd100a2 Sep 11, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is part of the alignment mechanism. The code needs to align the DMA target address for transfers to the EE side. This will fix transfers to misaligned buffers on the EE, but that buffer must still reside at an address that is at least a multiple of 4.

I changed the code because of an overrun. I could not tell why the original code read to an offset in cdvdfsv_rbuf and also read from this same address - which caused the overrun. Then in the common CDVDMAN header file, I re-evaluated the sizes of the buffers. As much as I tried, I could not understand why I chose the old value - it was off by 2, whereas this sort of correction can be done by reading one extra sector.

I believe the changes you see in this commit are incomplete, as I remember adding some comments too. Maybe some of them are in the adjacent commit.

Please sign in to comment.