[PlayStation] Remote kernel heap overflow ($10000 USD)

We discussed this vulnerability during Episode 146 on 17 May 2022

Heap overflow in the mbuf zone in the PPPoE driver, which the PS4/PS5 borrow from NetBSD. The issue is the fact that pppoe_send_padr() can calculate a packet length that exceeds MCLBYTES (2048 bytes). When an mbuf cluster is allocated to hold this packet data via pppoe_get_mbuf(), if the length exceeds MHLEN (256), it’ll allocate a cluster of MCLBYTES length. While it’s not possible to send a packet larger than MCLBYTES in one go, you can send two packets that will get combined. In this case, they used the ACCOOKIE tag and the RELAYSID tag of 1400 bytes each, which combined to writing 2800 bytes into a 2048-byte mbuf cluster.