Open 269261 opened 7 months ago
Loading and executing attached regs_issues.z64 file (s3.zip) results in out-of-bounds read/write in the following locations, due to reg index value being too high:
regs_issues.z64
reg
Provided sample does not cause OOB access in the locations below, but manual analysis raises suspicion that the similar issue may exist there as well:
One way to confirm the issue is to set conditional breakpoints in suspected lines in gdb before loading and executing provided ROM:
$ gdb --args Bin/Release/RMG /tmp/regs_issues.z64 GNU gdb (Ubuntu 13.1-2ubuntu2) 13.1 ... ^C ... (gdb) set breakpoint pending on (gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rdram/rdram.c:176 if module*10+reg >= 80 (gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rdram/rdram.c:217 if module*10+reg >= 80 (gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/rdp/rdp_core.c:109 if reg >= 8 (gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/rdp/rdp_core.c:139 if reg >= 4 (gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/vi/vi_controller.c:154 if reg >= 14 (gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/ai/ai_controller.c:219 if reg >= 6 (gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/pi/pi_controller.c:212 if reg >= 13 (gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/ri/ri_controller.c:52 if reg >= 8 (gdb) r Starting program: /tmp/RMG/Bin/Release/RMG /tmp/regs_issues.z64 ... Thread 14 "Thread::Emulati" hit Breakpoint 1, read_rdram_regs (opaque=0x7fffcb9f0c08 <g_dev+59784200>, address=66060704, value=0x7fffd23fa344) at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rdram/rdram.c:176 176 *value = rdram->regs[module][reg]; (gdb) print module $1 = 0 (gdb) print reg $2 = 104 (gdb) del 1 (gdb) c Continuing. Thread 14 "Thread::Emulati" hit Breakpoint 2, write_rdram_regs (opaque=0x7fffcb9f0c08 <g_dev+59784200>, address=66584992, value=3416198152, mask=4294967295) at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rdram/rdram.c:217 217 masked_write(&rdram->regs[module][reg], value, mask); (gdb) print module $3 = 0 (gdb) print reg $4 = 104 (gdb) del 2 (gdb) c Continuing. Thread 14 "Thread::Emulati" hit Breakpoint 3, write_dpc_regs (opaque=0x7fffcb9f0000 <g_dev+59781120>, address=68182628, value=4294967295, mask=4294967295) at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/rdp/rdp_core.c:109 109 masked_write(&dp->dpc_regs[reg], value, mask); (gdb) print reg $5 = 6297 (gdb) del 3 (gdb) c Continuing. Thread 14 "Thread::Emulati" hit Breakpoint 4, write_dps_regs (opaque=0x7fffcb9f0000 <g_dev+59781120>, address=69225748, value=4294967295, mask=4294967295) at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/rdp/rdp_core.c:139 139 masked_write(&dp->dps_regs[reg], value, mask); (gdb) print reg $6 = 4933 (gdb) del 4 (gdb) c Continuing. Thread 14 "Thread::Emulati" hit Breakpoint 5, write_vi_regs (opaque=0x7fffcb9f0a88 <g_dev+59783816>, address=71311992, value=4294967295, mask=4294967295) at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/vi/vi_controller.c:154 154 masked_write(&vi->regs[reg], value, mask); (gdb) print reg $7 = 2206 (gdb) del 5 (gdb) c Continuing. Thread 14 "Thread::Emulati" hit Breakpoint 6, write_ai_regs (opaque=0x7fffcb9f0938 <g_dev+59783480>, address=72355116, value=4294967295, mask=4294967295) at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/ai/ai_controller.c:219 219 masked_write(&ai->regs[reg], value, mask); (gdb) print reg $8 = 843 (gdb) del 6 (gdb) c Continuing. Thread 14 "Thread::Emulati" hit Breakpoint 7, write_pi_regs (opaque=0x7fffcb9f09b8 <g_dev+59783608>, address=73423680, value=4294967295, mask=4294967295) at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/pi/pi_controller.c:212 212 masked_write(&pi->regs[reg], value, mask); (gdb) print reg $9 = 5840 (gdb) del 7 (gdb) c Continuing. Thread 14 "Thread::Emulati" hit Breakpoint 8, write_ri_regs (opaque=0x7fffcb9f0a20 <g_dev+59783712>, address=74466800, value=4294967295, mask=4294967295) at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/ri/ri_controller.c:52 52 masked_write(&ri->regs[reg], value, mask); (gdb) print reg $10 = 4476 ... $ gdb --args Bin/Release/RMG /tmp/regs_issues.z64 GNU gdb (Ubuntu 13.1-2ubuntu2) 13.1 ... ^C ... (gdb) set breakpoint pending on (gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/rsp/rsp_core.c:274 if reg >= 8 (gdb) r Starting program: /tmp/RMG/Bin/Release/RMG /tmp/regs_issues.z64 ... Thread 14 "Thread::Emulati" hit Breakpoint 1, write_rsp_regs (opaque=0x7fffcb9f08c8 <g_dev+59783368>, address=67393924, value=4294967295, mask=4294967295) at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/rsp/rsp_core.c:274 274 masked_write(&sp->regs[reg], value, mask); (gdb) print reg $1 = 5729
CFLAGS += -O0 -g
-O0
-g
Loading and executing attached
regs_issues.z64file (s3.zip) results in out-of-bounds read/write in the following locations, due toregindex value being too high:Provided sample does not cause OOB access in the locations below, but manual analysis raises suspicion that the similar issue may exist there as well:
One way to confirm the issue is to set conditional breakpoints in suspected lines in gdb before loading and executing provided ROM:
Test platform
CFLAGS += -O0 -g-O0and-gfor better crash backtraces in Release build