Out-of-bounds read/write in *_regs functions

[269261]

Loading and executing attached regs_issues.z64 file (s3.zip) results in out-of-bounds read/write in the following locations, due to reg index value being too high:

• mupen64plus-core/src/device/rdram/rdram.c

  Line 176 in f500eb5

  *value = rdram->regs[module][reg];

• mupen64plus-core/src/device/rdram/rdram.c

  Line 217 in f500eb5

  masked_write(&rdram->regs[module][reg], value, mask);

• mupen64plus-core/src/device/rcp/rdp/rdp_core.c

  Line 109 in f500eb5

  masked_write(&dp->dpc_regs[reg], value, mask);

• mupen64plus-core/src/device/rcp/rdp/rdp_core.c

  Line 139 in f500eb5

  masked_write(&dp->dps_regs[reg], value, mask);

• mupen64plus-core/src/device/rcp/vi/vi_controller.c

  Line 154 in f500eb5

  masked_write(&vi->regs[reg], value, mask);

• mupen64plus-core/src/device/rcp/ai/ai_controller.c

  Line 219 in f500eb5

  masked_write(&ai->regs[reg], value, mask);

• mupen64plus-core/src/device/rcp/pi/pi_controller.c

  Line 212 in f500eb5

  masked_write(&pi->regs[reg], value, mask);

• mupen64plus-core/src/device/rcp/ri/ri_controller.c

  Line 52 in f500eb5

  masked_write(&ri->regs[reg], value, mask);

• mupen64plus-core/src/device/rcp/rsp/rsp_core.c

  Line 274 in f500eb5

  masked_write(&sp->regs[reg], value, mask);

Provided sample does not cause OOB access in the locations below, but manual analysis raises suspicion that the similar issue may exist there as well:

• mupen64plus-core/src/device/rdram/rdram.c

  Line 223 in f500eb5

  masked_write(&rdram->regs[module][reg], value, mask);

• mupen64plus-core/src/device/rcp/rdp/rdp_core.c

  Line 89 in f500eb5

  *value = dp->dpc_regs[reg];

• mupen64plus-core/src/device/rcp/rdp/rdp_core.c

  Line 131 in f500eb5

  *value = dp->dps_regs[reg];

• mupen64plus-core/src/device/rcp/vi/vi_controller.c

  Line 108 in f500eb5

  *value = vi->regs[reg];

• mupen64plus-core/src/device/rcp/ai/ai_controller.c

  Line 185 in f500eb5

  *value = ai->regs[reg];

• mupen64plus-core/src/device/rcp/pi/pi_controller.c

  Line 156 in f500eb5

  *value = pi->regs[reg];

• mupen64plus-core/src/device/rcp/ri/ri_controller.c

  Line 44 in f500eb5

  *value = ri->regs[reg];

• mupen64plus-core/src/device/rcp/mi/mi_controller.c

  Line 86 in f500eb5

  *value = mi->regs[reg];

• mupen64plus-core/src/device/rcp/rsp/rsp_core.c

  Line 252 in f500eb5

  *value = sp->regs[reg];

• mupen64plus-core/src/device/rcp/si/si_controller.c

  Line 126 in f500eb5

  *value = si->regs[reg];

One way to confirm the issue is to set conditional breakpoints in suspected lines in gdb before loading and executing provided ROM:

$ gdb --args Bin/Release/RMG /tmp/regs_issues.z64
GNU gdb (Ubuntu 13.1-2ubuntu2) 13.1
...

^C
...
(gdb) set breakpoint pending on
(gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rdram/rdram.c:176 if module*10+reg >= 80
(gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rdram/rdram.c:217 if module*10+reg >= 80
(gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/rdp/rdp_core.c:109 if reg >= 8
(gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/rdp/rdp_core.c:139 if reg >= 4
(gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/vi/vi_controller.c:154 if reg >= 14
(gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/ai/ai_controller.c:219 if reg >= 6
(gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/pi/pi_controller.c:212 if reg >= 13
(gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/ri/ri_controller.c:52 if reg >= 8
(gdb) r
Starting program: /tmp/RMG/Bin/Release/RMG /tmp/regs_issues.z64
...

Thread 14 "Thread::Emulati" hit Breakpoint 1, read_rdram_regs (opaque=0x7fffcb9f0c08 <g_dev+59784200>, address=66060704, value=0x7fffd23fa344)
    at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rdram/rdram.c:176
176	    *value = rdram->regs[module][reg];
(gdb) print module
$1 = 0
(gdb) print reg
$2 = 104
(gdb) del 1
(gdb) c
Continuing.

Thread 14 "Thread::Emulati" hit Breakpoint 2, write_rdram_regs (opaque=0x7fffcb9f0c08 <g_dev+59784200>, address=66584992, value=3416198152, mask=4294967295)
    at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rdram/rdram.c:217
217	            masked_write(&rdram->regs[module][reg], value, mask);
(gdb) print module
$3 = 0
(gdb) print reg
$4 = 104
(gdb) del 2
(gdb) c
Continuing.

Thread 14 "Thread::Emulati" hit Breakpoint 3, write_dpc_regs (opaque=0x7fffcb9f0000 <g_dev+59781120>, address=68182628, value=4294967295, mask=4294967295)
    at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/rdp/rdp_core.c:109
109	    masked_write(&dp->dpc_regs[reg], value, mask);
(gdb) print reg
$5 = 6297
(gdb) del 3
(gdb) c
Continuing.

Thread 14 "Thread::Emulati" hit Breakpoint 4, write_dps_regs (opaque=0x7fffcb9f0000 <g_dev+59781120>, address=69225748, value=4294967295, mask=4294967295)
    at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/rdp/rdp_core.c:139
139	    masked_write(&dp->dps_regs[reg], value, mask);
(gdb) print reg
$6 = 4933
(gdb) del 4
(gdb) c
Continuing.

Thread 14 "Thread::Emulati" hit Breakpoint 5, write_vi_regs (opaque=0x7fffcb9f0a88 <g_dev+59783816>, address=71311992, value=4294967295, mask=4294967295)
    at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/vi/vi_controller.c:154
154	    masked_write(&vi->regs[reg], value, mask);
(gdb) print reg
$7 = 2206
(gdb) del 5
(gdb) c
Continuing.

Thread 14 "Thread::Emulati" hit Breakpoint 6, write_ai_regs (opaque=0x7fffcb9f0938 <g_dev+59783480>, address=72355116, value=4294967295, mask=4294967295)
    at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/ai/ai_controller.c:219
219	    masked_write(&ai->regs[reg], value, mask);
(gdb) print reg
$8 = 843
(gdb) del 6
(gdb) c
Continuing.

Thread 14 "Thread::Emulati" hit Breakpoint 7, write_pi_regs (opaque=0x7fffcb9f09b8 <g_dev+59783608>, address=73423680, value=4294967295, mask=4294967295)
    at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/pi/pi_controller.c:212
212	    masked_write(&pi->regs[reg], value, mask);
(gdb) print reg
$9 = 5840
(gdb) del 7
(gdb) c
Continuing.

Thread 14 "Thread::Emulati" hit Breakpoint 8, write_ri_regs (opaque=0x7fffcb9f0a20 <g_dev+59783712>, address=74466800, value=4294967295, mask=4294967295)
    at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/ri/ri_controller.c:52
52	    masked_write(&ri->regs[reg], value, mask);
(gdb) print reg
$10 = 4476

...

$ gdb --args Bin/Release/RMG /tmp/regs_issues.z64
GNU gdb (Ubuntu 13.1-2ubuntu2) 13.1
...

^C
...
(gdb) set breakpoint pending on
(gdb) b /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/rsp/rsp_core.c:274 if reg >= 8
(gdb) r
Starting program: /tmp/RMG/Bin/Release/RMG /tmp/regs_issues.z64
...

Thread 14 "Thread::Emulati" hit Breakpoint 1, write_rsp_regs (opaque=0x7fffcb9f08c8 <g_dev+59783368>, address=67393924, value=4294967295, mask=4294967295)
    at /tmp/RMG/Source/3rdParty/mupen64plus-core/src/device/rcp/rsp/rsp_core.c:274
274	    masked_write(&sp->regs[reg], value, mask);
(gdb) print reg
$1 = 5729

Test platform

• Ubuntu 23.04 (x86-64)
• RMG emulator (https://github.com/Rosalie241/RMG)
  • built from master branch
  • Release build, x86-64
  • custom flags added to mupen64plus-core Makefile:
    • CFLAGS += -O0 -g
    • -O0 and -g for better crash backtraces in Release build
• gdb 13.1 for debugging