Log inRegister an accountBrowse CSDbHelp & documentationFacts & StatisticsThe forumsAvailable RSS-feeds on CSDbSupport CSDb Commodore 64 Scene Database
 Welcome to our latest new user Dawn ! (Registered 2020-09-19) You are not logged in 
CSDb User Forums


Forums > CSDb Discussions > A nice "new" buffer overflow in 1541-1571 :D
2020-09-08 19:28
Zibri

Registered: May 2020
Posts: 129
A nice "new" buffer overflow in 1541-1571 :D

Searching I didn't find any information on this, so afaik is a newly found buffer overflow in 1541 firmware.

Example:
write a 1 block file on disk.
edit the block where the file is so that the first two bytes are both 00.

When you read back the file, the result should have been 254 bytes.
Instead you will get: $1fA (506) bytes.
The first 252 bytes are the block on disk you previously saved.
The rest is 254 bytes of the drive buffer after the one where the block was loaded, starting at offset 2.

:D

Not exactly sure how this can be usefully exploited but I am sure Krill will like this :D
2020-09-08 19:57
Zibri

Registered: May 2020
Posts: 129
Also very nice things happen if you set the second byte to anything less than 4.
I am still researching this, but in some cases the cpu jumps to $1ff.
I think is therefore possible to craft a file of multiple blocks where the last one triggers the bug.
2020-09-08 20:12
Zibri

Registered: May 2020
Posts: 129
hmmm the more I study this the more I find... stay tuned for nice news :D
2020-09-08 20:12
Groepaz

Registered: Dec 2001
Posts: 9532
Quote:
Also very nice things happen if you set the second byte to anything less than 4.
I am still researching this, but in some cases the cpu jumps to $1ff.

please elaborate
2020-09-08 20:32
Zibri

Registered: May 2020
Posts: 129
a single block file.

the first two bytes of the sector where the file is:

00 02 00 00


then
load"file",8,1

and you will cause a JMP ($100)
which on a fresh c64 jumps to $3833
because $100 still contains "38911"

Example forcing a jump to $4000

2020-09-08 20:33
Zibri

Registered: May 2020
Posts: 129
Quoting Groepaz
Quote:
Also very nice things happen if you set the second byte to anything less than 4.
I am still researching this, but in some cases the cpu jumps to $1ff.

please elaborate

Nothing.. I understood it later.. it just at ($100)
2020-09-08 20:57
Zibri

Registered: May 2020
Posts: 129
Also.. there 2 different buffer overflows.

One in 1541, when sector size is 00 00 and the file is only one sector.

Another one in C64 when sector size is < 4.

if sector size is 2 it jumps at ($100)
if sector size is 1 it does a crazy thing (still investigating) it writes all over page 0 disabling also the kernal and basic rom and the last jump location is $2 :D
2020-09-08 21:03
Zibri

Registered: May 2020
Posts: 129
Quoting Zibri
Also.. there 2 different buffer overflows.

One in 1541, when sector size is 00 00 and the file is only one sector.

Another one in C64 when sector size is < 4.

if sector size is 2 it jumps at ($100)
if sector size is 1 it does a crazy thing (still investigating) it writes all over page 0 disabling also the kernal and basic rom and the last jump location is $2 :D


Ok the last one happens because even if sector size is 1 it writes 254 bytes.. so writing at $0 all zeroes...

That was ok..
almost normal behaviour.
2020-09-08 22:02
Zibri

Registered: May 2020
Posts: 129
Errata corrige:

the first 4 bytes of the sector where the file is:

00 02 00 10


then
load"file",8,1

and you will cause a JMP ($100)

from vice:
assuming the "file" is located at track 17 sector 0:

f 1000 1100 00
>1000 00 02 00 10
bw 11 0 1000
RefreshSubscribe to this thread:

You need to be logged in to post in the forum.

Search the forum:
Search   for   in  
All times are CET.
Search CSDb
Advanced
Users Online
Didi/Laxity
Dan Gillgrass/Suicyc..
grass/LETHARGY
Black Beard/Abyss, A..
Weasel/Padua/Hitmen/..
zscs
Poison/Singular Crew
hedning/G★P
X-Raffi/X-Rated
iceout/Avatar/HF
Guests online: 52
Top Demos
1 Uncensored  (9.7)
2 Coma Light 13  (9.7)
3 Edge of Disgrace  (9.6)
4 Comaland 100%  (9.6)
5 Unboxed  (9.6)
6 The Shores of Reflec..  (9.6)
7 Lunatico  (9.6)
8 Remains  (9.5)
9 C=Bit 18  (9.5)
10 D50  (9.5)
Top onefile Demos
1 Cuarentenauta  (9.5)
2 Listen to Your Eyes  (9.5)
3 Dawnfall V1.1  (9.5)
4 Rewind  (9.5)
5 Instinct  (9.5)
6 Daah, Those Acid Pil..  (9.5)
7 Crystal Gazer  (9.5)
8 Smile to the Sky  (9.5)
9 The Tuneful Eight [u..  (9.5)
10 Bad Boy  (9.5)
Top Groups
1 Fossil  (9.4)
2 PriorArt  (9.4)
3 Booze Design  (9.4)
4 Censor Design  (9.3)
5 Performers  (9.3)
Top Graphicians
1 Mirage  (9.7)
2 Archmage  (9.7)
3 Mikael  (9.7)
4 Razorback  (9.7)
5 Electric  (9.7)

Home - Disclaimer
Copyright © No Name 2001-2020
Page generated in: 0.06 sec.