Fix buffer overflow in RSP DMA - SECURITY CONCERN

[bkimmett]

Recently, ParaLLeL launcher has fixed a bug in its version of its RSP code that allowed N64 code to potentially escape the emulator and perform ACE on the user's computer (see https://www.twitch.tv/videos/2147408942?t=12257s for an example of this escape in action).

The fix is here: https://gitlab.com/parallel-launcher/parallel-n64/-/commit/fa9e2e08b0c6cde117cb05cc071cdb74a9e90ad2#06a9a5c035040370b6d9d811526d9586179b3176

The equivalent code in Simple64,

simple64/mupen64plus-core/src/device/rcp/rsp/rsp_core.c

Line 78 in be260ec

spmem[(memaddr & 0xfff)^S8] = dram[dramaddr^S8];

and

simple64/mupen64plus-core/src/device/rcp/rsp/rsp_core.c

Line 59 in be260ec

dram[dramaddr^S8] = spmem[(memaddr & 0xfff)^S8];

, appears to also be vulnerable to this.

I strongly recommend fixing this as soon as possible.

[loganmc10]

I didn't see an example of ACE in the video you shared, and I don't believe there is an issue in simple64, because these values are sanitized when they are written (

simple64/mupen64plus-core/src/device/rcp/rsp/rsp_core.c

Lines 308 to 313 in be260ec

	case SP_MEM_ADDR_REG:
	sp->regs[SP_MEM_ADDR_REG] &= 0x1ff8;
	break;
	case SP_DRAM_ADDR_REG:
	sp->regs[SP_DRAM_ADDR_REG] &= 0xfffff8;
	break;

), before the code you referenced here. Can you elaborate further?

[bkimmett]

The ACE in the video is first popping a fake OBS crash dialog, then moving the emulator window without external input, then launching Dolphin and Super Mario Sunshine, which was packed in the N64 rom as a DLL (!).

While I don't entirely understand the nature of the exploit (I'm just trying to get the word out as widely as possible), I believe it has something to do with being able to write off the end of dram or spmem with invalid values passed in (possibly count, length, or skip).

[bkimmett]

For reference, the rom that caused the exploit can be seen here:

https://github.com/devwizard64/rhc_slide2

However, the dev of that rom did not include the exploit payload code, instead using a function within libPl to read it out of the dev's avatar (!) on romhacking.com (I wish I was making this up - the avatar-fetching function is documented here https://parallel-launcher.gitlab.io/libpl/group__page__rhdc.html ).

[loganmc10]

I don't have Windows so I'm not sure how I can test this. Can you run the ROM with simple64 and verify that the exploit works? Again, I don't see how it would since the values for the DRAM and SPMEM addresses are clamped when they are written

[bkimmett]

The rom I linked will not work as published to GitHub, as it works by downloading the exploit code from an external server (the guy's avatar on romhacking.com). This exploit code is no longer available.

However, it can also be triggered through ACE on Paper Mario, as demonstrated in this TAS: https://tasvideos.org/8982S

[loganmc10]

I'm going to close this until the issue can be reproduced on simple64, please reopen if that is the case

[bkimmett]

I've spoken to the creator of the original exploit. He says Simple64 is vulnerable, and that the cause is starting a write to the dram array at 0x800000, as that is beyond the size of the dram array.

(him) it is vulnerable - if you started an RSP DMA at ram 800000 then it would write out of bounds
(me) And this is because the ram... array?... is only 0x800000 big? Or...?
(him) yes

[loganmc10]

Do you not have access to the ROM? Is it not possible to test with simple64?

[bkimmett]

The rom was made in a way such that it fetched its exploit payload from an external server, when using an emulator that had the capability to do so (with libPl). The payload is no longer online and I don't think Simple64 integrates libPl anyway, so: no, I am unable to test the rom at this time.

The part of the rom that would download and execute the payload, before executing windows code, is here: https://github.com/devwizard64/rhc_slide2/blob/a396daf0603ed6aacffd8baa46b43770bfc69483/src/ext.c#L164

Note the use of PL_GetAvatar.

[loganmc10]

But if the emulator doesn't support libPL how is it vulnerable?

I guess I'm unclear on how the payload gets executed, even if you write unwanted data past 0x800000, how is it executed on the system?

[bkimmett]

LibPL was not used to execute the payload, only to retrieve it. The actual flaw comes in the buffer overflow performed in the DMA logic, where data is written off the end of the dram array.

Regarding how a buffer overflow is turned into an exploit, Wikipedia notes:

Exploiting the behavior of a buffer overflow is a well-known security exploit. On many systems, the memory layout of a program, or the system as a whole, is well defined. By sending in data designed to cause a buffer overflow, it is possible to write into areas known to hold executable code and replace it with malicious code.

[loganmc10]

Ok thanks, I understand. I'll work on a fix. I don't think the fix in parallel-launcher is very robust. At least in mupen64plus, the user can choose between 4MB and 8MB of DRAM, so masking it at 0x7fffffu won't work for 4MB of RAM. There are also other DMA types in the code, but I don't know if parallel-launcher already has those addressed as well.

[bkimmett]

Thank you! I'm looking forward to seeing what you come up with.