drashna/ryujinx
1
0
Fork 0
Code Activity Actions

Fix memory corruption in BCAT and FS Read methods when buffer is larger than needed (#3739)

Browse source 
* Fix memory corruption in FS Read methods when buffer is larger than needed

* PR feedback

* nit: Don't move this around
This commit is contained in:
gdkchan 2022-10-04 20:12:54 -03:00 committed by GitHub
parent 2068445939
commit 60e16c15b6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 69 additions and 79 deletions
Download patch file Download diff file Expand all files Collapse all files

14
Ryujinx.HLE/HOS/Services/Fs/FileSystemProxy/IDirectory.cs
View file

@ -17,17 +17,17 @@ namespace Ryujinx.HLE.HOS.Services.Fs.FileSystemProxy
// Read() -> (u64 count, buffer<nn::fssrv::sf::IDirectoryEntry, 6, 0> entries)
public ResultCode Read(ServiceCtx context)
{
ulong bufferPosition = context.Request.ReceiveBuff[0].Position;
ulong bufferAddress = context.Request.ReceiveBuff[0].Position;
ulong bufferLen = context.Request.ReceiveBuff[0].Size;
byte[] entryBuffer = new byte[bufferLen];
using (var region = context.Memory.GetWritableRegion(bufferAddress, (int)bufferLen, true))
{
Result result = _baseDirectory.Get.Read(out long entriesRead, new OutBuffer(region.Memory.Span));
Result result = _baseDirectory.Get.Read(out long entriesRead, new OutBuffer(entryBuffer));
context.ResponseData.Write(entriesRead);
context.Memory.Write(bufferPosition, entryBuffer);
context.ResponseData.Write(entriesRead);
return (ResultCode)result.Value;
return (ResultCode)result.Value;
}
}
[CommandHipc(1)]

16
Ryujinx.HLE/HOS/Services/Fs/FileSystemProxy/IFile.cs
View file

@ -19,7 +19,8 @@ namespace Ryujinx.HLE.HOS.Services.Fs.FileSystemProxy
// Read(u32 readOption, u64 offset, u64 size) -> (u64 out_size, buffer<u8, 0x46, 0> out_buf)
public ResultCode Read(ServiceCtx context)
{
ulong position = context.Request.ReceiveBuff[0].Position;
ulong bufferAddress = context.Request.ReceiveBuff[0].Position;
ulong bufferLen = context.Request.ReceiveBuff[0].Size;
ReadOption readOption = context.RequestData.ReadStruct<ReadOption>();
context.RequestData.BaseStream.Position += 4;
@ -27,15 +28,14 @@ namespace Ryujinx.HLE.HOS.Services.Fs.FileSystemProxy
long offset = context.RequestData.ReadInt64();
long size = context.RequestData.ReadInt64();
byte[] data = new byte[context.Request.ReceiveBuff[0].Size];
using (var region = context.Memory.GetWritableRegion(bufferAddress, (int)bufferLen, true))
{
Result result = _baseFile.Get.Read(out long bytesRead, offset, new OutBuffer(region.Memory.Span), size, readOption);
Result result = _baseFile.Get.Read(out long bytesRead, offset, new OutBuffer(data), size, readOption);
context.ResponseData.Write(bytesRead);
context.Memory.Write(position, data);
context.ResponseData.Write(bytesRead);
return (ResultCode)result.Value;
return (ResultCode)result.Value;
}
}
[CommandHipc(1)]

8
Ryujinx.HLE/HOS/Services/Fs/FileSystemProxy/IFileSystem.cs
View file

@ -197,13 +197,7 @@ namespace Ryujinx.HLE.HOS.Services.Fs.FileSystemProxy
context.ResponseData.Write(timestamp.Created);
context.ResponseData.Write(timestamp.Modified);
context.ResponseData.Write(timestamp.Accessed);
byte[] data = new byte[8];
// is valid?
data[0] = 1;
context.ResponseData.Write(data);
context.ResponseData.Write(1L); // Is valid?
return (ResultCode)result.Value;
}

18
Ryujinx.HLE/HOS/Services/Fs/FileSystemProxy/IStorage.cs
View file

@ -23,21 +23,21 @@ namespace Ryujinx.HLE.HOS.Services.Fs.FileSystemProxy
if (context.Request.ReceiveBuff.Count > 0)
{
IpcBuffDesc buffDesc = context.Request.ReceiveBuff[0];
ulong bufferAddress = context.Request.ReceiveBuff[0].Position;
ulong bufferLen = context.Request.ReceiveBuff[0].Size;
// Use smaller length to avoid overflows.
if (size > buffDesc.Size)
if (size > bufferLen)
{
size = buffDesc.Size;
size = bufferLen;
}
byte[] data = new byte[size];
using (var region = context.Memory.GetWritableRegion(bufferAddress, (int)bufferLen, true))
{
Result result = _baseStorage.Get.Read((long)offset, new OutBuffer(region.Memory.Span), (long)size);
Result result = _baseStorage.Get.Read((long)offset, new OutBuffer(data), (long)size);
context.Memory.Write(buffDesc.Position, data);
return (ResultCode)result.Value;
return (ResultCode)result.Value;
}
}
return ResultCode.Success;