Following his PS5 Kernel Exploit Vulnerability disclosure yesterday, theflow0 took to Twitter again today as his previous exFAT vulnerability affecting both PS4 (pOOBs4 9.00 Jailbreak) and PlayStation 5 consoles was finally disclosed on HackerOne.com. 
Earlier TheOfficialFloW also confirmed more information on the PS5 kernel exploit will be revealed at 17:15 (5:15 PM) on Saturday, October 15th during Hexacon 2022.
Here's what the HackerOne Report states for those in the PlayStation 5 Scene (PS5 Jailbreak Status), to quote: size_t-to-int vulnerability in exFAT leads to memory corruption via malformed USB flash drives
Summary
A heap-based buffer overflow can be triggered by a malformed exFAT USB flash drive.
Vulnerability
The vulnerability is in Sony's exFAT implementation where there is an integer truncation from 64bit to 32bit on a size variable that is used to allocate the up-case table:
Namely, dataLength and size are both 64bit wide, however the size argument of sceFatfsCreateHeapVl() is 32bit wide:
When using a big size for dataLength, this function will therefore only allocate a small buffer, and as a result overflow and corrupt subsequent objects on the heap when calling UVFAT_ReadDevice().
For example, using sectorSize=0x200 and dataLength=0x100000200 we have:
When passing this size to sceFatfsCreateHeapVl(), the leading 1 is cut off to 0x200.
Exploitation
This vulnerability allows us to allocate any buffer on the heap with size >= 512 and multiple of 512, and allows us to overflow by a multiple of 512. There are interesting objects that one could spray on the heap such as struct usb_endpoint which contain interesting pointers that one could corrupt.
Impact
Jailbreak the PS4/PS5 by plugging in the USB and directly getting kernel code execution.
Earlier TheOfficialFloW also confirmed more information on the PS5 kernel exploit will be revealed at 17:15 (5:15 PM) on Saturday, October 15th during Hexacon 2022.
Here's what the HackerOne Report states for those in the PlayStation 5 Scene (PS5 Jailbreak Status), to quote: size_t-to-int vulnerability in exFAT leads to memory corruption via malformed USB flash drives
Summary
A heap-based buffer overflow can be triggered by a malformed exFAT USB flash drive.
Vulnerability
The vulnerability is in Sony's exFAT implementation where there is an integer truncation from 64bit to 32bit on a size variable that is used to allocate the up-case table:
Code:
int UVFAT_readupcasetable(void *unused, void *fileSystem) {
...
size_t dataLength = *(size_t *)(upcaseEntry + 24);
size_t size = sectorSize + dataLength - 1;
size = size - size % sectorSize;
uint8_t *data = sceFatfsCreateHeapVl(0, size);
...
while (1) {
...
UVFAT_ReadDevice(fileSystem, offset, sectorSize, data);
...
data += sectorSize;
...
}
}
Code:
void *sceFatfsCreateHeapVl(void *unused, int size) {
return malloc(size, M_EXFATFSPATH, M_WAITOK | M_ZERO);
}For example, using sectorSize=0x200 and dataLength=0x100000200 we have:
Code:
size = (sectorSize + dataLength - 1) - (sectorSize + dataLength - 1) % sectorSize;
<=> size = (0x200 + 0x100000200 - 1) - (0x200 + 0x100000200 - 1) % 0x200;
<=> size = 0x1000003FF - 0x1FF;
<=> size = 0x100000200;Exploitation
This vulnerability allows us to allocate any buffer on the heap with size >= 512 and multiple of 512, and allows us to overflow by a multiple of 512. There are interesting objects that one could spray on the heap such as struct usb_endpoint which contain interesting pointers that one could corrupt.
Impact
Jailbreak the PS4/PS5 by plugging in the USB and directly getting kernel code execution.
