Missing bounds checks on DMA operations #1083
Comments
|
This makes the emulator vulnerable to ACE, is it seriously gonna get ignored? |
Its non-trivial and on a normal system with ASLR, its more a DOS than anything else, so severity is low. You could maybe ROP chain this if it leaks some infos but thats unlikely too, also any exploit will be bound to very specific builds of mupen as relative addr layouts would differ. |
|
There's already an exploit out there in the wild for the RSP DMA overflow in unpatched paralleln64 on Windows that works consistently. And another one for Bizhawk on Windows. Considering these vulnerabilities are essentially the exact same vulnerability targeting the same region of memory (static data), I wouldn't dismiss the viability or severity of this. I doubt it would take many changes to the existing exploits to adapt either one to the other vulnerable DMA methods. |
In this commit, there was a fix for an overflow in RSP DMAs, but none of the other missing bounds checks were fixed.
Here is a pull request that fixes all the DMAs in ParallelN64.
The mupen core has since moved around and refactored most of these places, so some of them may already be fixed; however, I can find some locations where vulnerabilities still exist:
There may be some other locations as well
The text was updated successfully, but these errors were encountered: