Skip to content

Buffer overflow in pif_process #122

New issue
New issue
Closed
Closed
Buffer overflow in pif_process#122
@CTurt

Description

@CTurt
CTurt
opened on May 9, 2019

Reading SI DMA triggers execution of PIF command buffer (64 bytes controlled by game after DMAing into PIF RAM (0xBFC007C0)):

cen64/si/controller.c

Line 356 in 57209ee

pif_process(si);

This is handled by pif_process function.

PIF command buffer uses 2 sizes which are 8-bit (more info: http://en64.shoutwiki.com/wiki/SI_Registers_Detailed), these are the number of bytes requesting to send and receive (send_bytes, recv_bytes).

pif_process passes these sizes to memcpy calls, with source and destination being PIF buffers (64 bytes), so buffer overflow will occur if sizes are greater than 64.

cen64/si/controller.c

Line 229 in 57209ee

int8_t send_bytes = si->command[ptr++];

Depending on which size you use to overflow, you can trigger either stack buffer overflow:

uint8_t send_buf[0x40];
....
memcpy(send_buf, si->command + ptr, send_bytes);

Or overflow from stack into SI registers, which are fully readable by the game:

uint8_t recv_buf[0x40];
...
memcpy(si->ram + ptr, recv_buf, recv_bytes);

cen64/si/controller.h

Line 39 in 72c778c

uint8_t ram[64]; 

struct si_controller {
...
  uint8_t command[64];
  uint8_t ram[64];
  uint32_t regs[NUM_SI_REGISTERS];

This means an attacker can both leak and corrupt stack memory. This type of "2 way heap/stack overflow" is very similar to SETFKEY FreeBSD kernel bug I exploited a couple of years ago (https://cturt.github.io/SETFKEY.html), and should be sufficient to fully exploit from emulator -> native code execution.

I don't have symbols because I didn't build from source - but I'm reproing write AV from inlined memcpy on latest Windows release:

(2bf8.2a2c): Access violation - code c0000005 (!!! second chance !!!)
cen64_windows_x86_64+0x3b921:
00000000`0043b921 488910          mov     qword ptr [rax],rdx ds:00000000`22e78500=????????????????
0:008> k
 # Child-SP          RetAddr           Call Site
00 00000000`0e95fc10 00000000`0044108b cen64_windows_x86_64+0x3b921
01 00000000`0e95fd30 00000000`00442431 cen64_windows_x86_64+0x4108b
02 00000000`0e95fdb0 00000000`0043dc3b cen64_windows_x86_64+0x42431
03 00000000`0e95fe20 00000000`0043e35e cen64_windows_x86_64+0x3dc3b
04 00000000`0e95fe90 00000000`0043cd69 cen64_windows_x86_64+0x3e35e
05 00000000`0e95ff00 00007ff8`51337974 cen64_windows_x86_64+0x3cd69
06 00000000`0e95ff30 00007ff8`518fa271 KERNEL32!BaseThreadInitThunk+0x14
07 00000000`0e95ff60 00000000`00000000 ntdll!RtlUserThreadStart+0x21

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions