[PlayStation] Remote kernel heap overflow ($10000 USD)
Original Post:
We discussed this vulnerability during Episode 146 on 17 May 2022
Heap overflow in the mbuf zone in the PPPoE driver, which the PS4/PS5 borrow from NetBSD. The issue is the fact that pppoe_send_padr()
can calculate a packet length that exceeds MCLBYTES
(2048 bytes). When an mbuf cluster is allocated to hold this packet data via pppoe_get_mbuf()
, if the length exceeds MHLEN
(256), it’ll allocate a cluster of MCLBYTES
length. While it’s not possible to send a packet larger than MCLBYTES
in one go, you can send two packets that will get combined. In this case, they used the ACCOOKIE
tag and the RELAYSID
tag of 1400 bytes each, which combined to writing 2800 bytes into a 2048-byte mbuf cluster.