A PS2 emulator escape that can be exploited on PS4/PS5. In the previous binary episode we covered part 2 which was a stack overflow in Okage: Shadow King, by chaining that with this out-of-bounds (OOB) write in the emulator, full userland code execution is possible. As part of its duties, the PS2 emulator has to simulate Memory Mapped I/O (MMIO) for various devices such as the DVD device. The registers that are particularly relevant are the
SCMD_STATUS registers. When writing to
SCMD_STATUS, the fake DVD device will update a global status buffer with the written value, and track the current position via
gSStatusIndex. There’s only room for 16 entries though, and no bounds checking is performed to ensure only up to 16 entries are written, giving linear out-of-bounds write.
They then use this weaker primitive to escalate by smashing the
gNStatusIndex global, which when the
NCMD_STATUS register is written to can give the attacker a relative 1-byte write to escape the emulator.