Awhile back popular PS Vita scene developer TheFloW hinted that he'll be looking at the PS4 kernel in his H-ENcore Write-up, and today he shared on Twitter some details on a PS4 Kernel Bug discovered stating it is fxed somewhere between 5.05 and 6.20 OFW... with the PS4 Kernel Exploit 5.05 / 5.07 being the last public jailbreak currently available.
PS4 kernel bug: sys_randomized_path could leak arbitrary amount of kernel stack:
Unfortunately fixed somewhere between 5.05 and 6.20.
Update: TheFloW said his bug is not exploitable:
Nvm this bug is not exploitable, as copyout will simply abort if it dst+len wraps around or is higher than 0x8000000000000000. However, Sony did actually fix it by adding a max_len > 0 check, so I thought it could be abused.
From Pastebin.com:
PS4 kernel bug: sys_randomized_path could leak arbitrary amount of kernel stack:
Code:
char k_path[0x100];
int64_t max_len = fuword64(max_len_ptr);
if (path_len <= max_len) {
copyout(k_path, out_path, path_len);
} else {
copyout(k_path, out_path, max_len - 1);
}
Update: TheFloW said his bug is not exploitable:
Nvm this bug is not exploitable, as copyout will simply abort if it dst+len wraps around or is higher than 0x8000000000000000. However, Sony did actually fix it by adding a max_len > 0 check, so I thought it could be abused.
From Pastebin.com:
Code:
// <6.00 bug (not exploitable) found by TheFloW, JS adaptation by CelesteBlue only useful for when we find an actual vulnerable syscall
var try_sys_randomized_path_leak = function() {
var mem = p.malloc(0x1000000); // allocate buffer
alert(p.hexdump(mem, 0x500)); // display zeroed buffer
var len_pointer = p.malloc(0x08); // allocate length
p.write8(len_pointer, new int64(0, 2147483648)); // write length: 0x8000000000000000
alert(p.hexdump(len_pointer, 8)); // display length
alert(p.syscall("sys_randomized_path", 0, mem, len_pointer)); // trigger bug
alert(p.hexdump(mem, 0x500)); // display buffer, should have been modified if success
};