39
edits
Changes
→Non-system applications: might as well finally document this CGB trl vuln. may the 3DS VC escape become reality someday.
| June 12, 2022
| June 12, 2022
| [[User: Kartik|Kartik]]
| [[User: Kartik|Kartik]]
|-
| trl CGB emulator (GBC Virtual Console)
| HDMA heap buffer overflow
| trl's CGB emulation implements normal mode HDMA by a straight memcpy, failing to correctly bounds check the provided pointers/length. (hblank mode HDMA does perform proper bounds checks after each 0x10 byte memcpy)
In addition, each area of memory (ROM, SRAM, VRAM, WRAM, SRAM, OAM, MMIO+HRAM) are allocated seperately, from the CTR-SDK heap.
Thus, doing HDMA to an area past the end of VRAM (VRAM bank 1 must be set here) would cause heap overflow. The maximum possible memcpy here would be 0x800 bytes to the end of VRAM less 0x10 bytes.
This is hard to exploit. The heap buffers get freed when choosing to close the game from the Home Menu, with the Home Menu holding the GPU. It may be possible to make calls to APT in ROP in this state to get Home Menu to release the GPU.
To exploit this, SM83 code execution inside the emulator would need to be obtained. This could be done by human-viable or remote (emulated link-cable) code execution exploits (for example Pokémon Yellow (non-JP)/Gold/Silver/Crystal); by crafting SRAM (where the game itself has a savegame exploit); or by crafting an emulator save-state (for games where save-states are enabled).
DMG (mono Game Boy) games are not exploitable; the bug is in CGB-specific functionality which is disabled in mono Game Boy games (determined by ROM header).
| None
| trl as included in Pokémon Crystal VC
| January 2024
| ~2017
| [[User:Riley|Riley]]
|}
|}