Summary
The HEVC decoder used in PlayStation Portal's Remote Play does not validate the length of elements copied to an array. This results in an out-of-bounds write on the stack and may lead to RCE. In addition to this buffer overflow, gaps in PlayStation Portal's patching were identified to be vulnerable to CVE-2023-33106
Severity
Moderate - A user who is able to execute this buffer overflow can modify the PlayStation Portal to run arbitrary code. This affects the PlayStation Portal, and all other remote play clients iOS, Android, Windows, and MacOS.
Details
The HEVC decoder used in Remote Play does not check the result of num_long_term_ref_pics_sps, used for an array of lt_ref_pic_poc_lsb_sps and used_by_curr_pic_lt_sps_flag elements:
v80 = consume_bits((int)v2, 1);
*(_BYTE *)(this + 224) = v80;
if ( v80 )
{
v81 = -1;
do
++v81;
while ( !consume_bits((int)v2, 1) );
v82 = consume_bits((int)v2, v81);
v128 = 0;
*(_DWORD *)(this + 0xE4) = (1 << v81) + --v82;
if ( (1 << v81) + v82 )
{
v131 = this + 0xE8;
do
{
v83 = -1;
do
++v83;
while ( !consume_bits((int)v2, 1) );
v84 = consume_bits((int)v2, v83);
v85 = v83;
v86 = v131;
*(_DWORD *)v131 = (1 << v85) - 1 + v84; // overflow
v87 = consume_bits((int)v2, 1);
v88 = v128;
v131 = v86 + 4;
*(_BYTE *)(this + v128 + 0x168) = v87; // overflow
v128 = v88 + 1;
}
while ( (unsigned int)(v88 + 1) < *(_DWORD *)(this + 0xE4) );
}
}
This results in an out-of-bounds write in the array and may lead to RCE. This affects the PlayStation Portal, and all other remote play clients for iOS, Android, Windows and MacOS.
Further Analysis
KGSL vulnerability
Additionally, the PlayStation Portal has patch gaps and is vulnerable to https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2023/CVE-2023-33106.html which may allow an attacker to escalate privileges."
Timeline
Date reported: 02/21/2024
Date fixed: 05/03/2024
Date disclosed: 06/14/2024
TheOfficialFloW Finder
Summary
The HEVC decoder used in PlayStation Portal's Remote Play does not validate the length of elements copied to an array. This results in an out-of-bounds write on the stack and may lead to RCE. In addition to this buffer overflow, gaps in PlayStation Portal's patching were identified to be vulnerable to CVE-2023-33106
Severity
Moderate - A user who is able to execute this buffer overflow can modify the PlayStation Portal to run arbitrary code. This affects the PlayStation Portal, and all other remote play clients iOS, Android, Windows, and MacOS.
Details
The HEVC decoder used in Remote Play does not check the result of
num_long_term_ref_pics_sps, used for an array oflt_ref_pic_poc_lsb_spsandused_by_curr_pic_lt_sps_flagelements:This results in an out-of-bounds write in the array and may lead to RCE. This affects the PlayStation Portal, and all other remote play clients for iOS, Android, Windows and MacOS.
Further Analysis
KGSL vulnerability
Additionally, the PlayStation Portal has patch gaps and is vulnerable to https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2023/CVE-2023-33106.html which may allow an attacker to escalate privileges."
Timeline
Date reported: 02/21/2024
Date fixed: 05/03/2024
Date disclosed: 06/14/2024