Rosalie241
commented
4 months ago Has it been confirmed that the exploit can be reproduced in mupen64plus-core? ParaLLEl launcher uses an extremely outdated version of mupen64plus-core.
Closed bkimmett closed 4 months ago
Rosalie241
commented
4 months ago Has it been confirmed that the exploit can be reproduced in mupen64plus-core? ParaLLEl launcher uses an extremely outdated version of mupen64plus-core.
bkimmett
commented
4 months ago It has not been confirmed (or disproven), but the same exploit has been demonstrated in Bizhawk:
I did read the DMA routines of each version of the mupen core code before submitting issue tickets, and I believe the invalid pattern is writing to dram/spmem in an unbounded manner, which is present in most versions of the Mupen64 core at the moment.
bkimmett
commented
4 months ago Also: As far as I know, in the video I showed above, I think the streamer was running RetroArch, and that's how the ParaLLeL launcher code got in there. But I'm not sure.
bkimmett
commented
4 months ago Update: I've spoken to the creator of the original exploit. It appears to be caused by writing to dram at 0x800000 or above, as this is beyond the size of dram.
richard42
commented
4 months ago fixed in 5340dafc
mpharoah
commented
4 months ago Note that there are other locations in mupen where other types of DMAs lack proper bounds checks.
The files are moved around in this version of mupen as compared to paralleln64, but the exploits still exist. Here's the fix for them for paralleln64. (Note that in this fix, I made no attempt to see what the correct N64 behaviour is, and rather just chose whatever was convenient to patch the vulnerability, with the intention to improve its accuracy later as a low priority fix): https://gitlab.com/parallel-launcher/parallel-n64/-/compare/47695b1e934d07b1aa790280502861b59eee3009...63b4245ba0fef5b5a4298b61a917eafc374720c4?from_project_id=34649479&straight=false
Recently, ParaLLeL launcher has fixed a bug in its version of its RSP code that allowed N64 code to potentially escape the emulator and perform ACE on the user's computer (see https://www.twitch.tv/videos/2147408942?t=12257s for an example of this escape in action).
The fix is here: https://gitlab.com/parallel-launcher/parallel-n64/-/commit/fa9e2e08b0c6cde117cb05cc071cdb74a9e90ad2#06a9a5c035040370b6d9d811526d9586179b3176
The equivalent code in the Mupen core, https://github.com/mupen64plus/mupen64plus-core/blob/fe284b142e957e92a51726d6000e987753c0d4c8/src/device/rcp/rsp/rsp_core.c#L59 and https://github.com/mupen64plus/mupen64plus-core/blob/fe284b142e957e92a51726d6000e987753c0d4c8/src/device/rcp/rsp/rsp_core.c#L78, appears to also be vulnerable to this.
I strongly recommend fixing this as soon as possible.