| |
Zibri
Account closed
Registered: May 2020
Posts: 304 |
A nice "new" buffer overflow in 1541-1571 :D
Searching I didn't find any information on this, so afaik is a newly found buffer overflow in 1541 firmware.
Example:
write a 1 block file on disk.
edit the block where the file is so that the first two bytes are both 00.
When you read back the file, the result should have been 254 bytes.
Instead you will get: $1fA (506) bytes.
The first 252 bytes are the block on disk you previously saved.
The rest is 254 bytes of the drive buffer after the one where the block was loaded, starting at offset 2.
:D
Not exactly sure how this can be usefully exploited but I am sure Krill will like this :D |
|
| |
Zibri
Account closed
Registered: May 2020
Posts: 304 |
Also very nice things happen if you set the second byte to anything less than 4.
I am still researching this, but in some cases the cpu jumps to $1ff.
I think is therefore possible to craft a file of multiple blocks where the last one triggers the bug. |
| |
Zibri
Account closed
Registered: May 2020
Posts: 304 |
hmmm the more I study this the more I find... stay tuned for nice news :D |
| |
chatGPZ
Registered: Dec 2001
Posts: 11108 |
Quote:Also very nice things happen if you set the second byte to anything less than 4.
I am still researching this, but in some cases the cpu jumps to $1ff.
please elaborate |
| |
Zibri
Account closed
Registered: May 2020
Posts: 304 |
a single block file.
the first two bytes of the sector where the file is:
00 02 00 00
then
load"file",8,1
and you will cause a JMP ($100)
which on a fresh c64 jumps to $3833
because $100 still contains "38911"
Example forcing a jump to $4000
 |
| |
Zibri
Account closed
Registered: May 2020
Posts: 304 |
Quoting GroepazQuote:Also very nice things happen if you set the second byte to anything less than 4.
I am still researching this, but in some cases the cpu jumps to $1ff.
please elaborate
Nothing.. I understood it later.. it just at ($100) |
| |
Zibri
Account closed
Registered: May 2020
Posts: 304 |
Also.. there 2 different buffer overflows.
One in 1541, when sector size is 00 00 and the file is only one sector.
Another one in C64 when sector size is < 4.
if sector size is 2 it jumps at ($100)
if sector size is 1 it does a crazy thing (still investigating) it writes all over page 0 disabling also the kernal and basic rom and the last jump location is $2 :D |
| |
Zibri
Account closed
Registered: May 2020
Posts: 304 |
Quoting ZibriAlso.. there 2 different buffer overflows.
One in 1541, when sector size is 00 00 and the file is only one sector.
Another one in C64 when sector size is < 4.
if sector size is 2 it jumps at ($100)
if sector size is 1 it does a crazy thing (still investigating) it writes all over page 0 disabling also the kernal and basic rom and the last jump location is $2 :D
Ok the last one happens because even if sector size is 1 it writes 254 bytes.. so writing at $0 all zeroes...
That was ok..
almost normal behaviour. |
| |
Zibri
Account closed
Registered: May 2020
Posts: 304 |
Errata corrige:
the first 4 bytes of the sector where the file is:
00 02 00 10
then
load"file",8,1
and you will cause a JMP ($100)
from vice:
assuming the "file" is located at track 17 sector 0:
f 1000 1100 00
>1000 00 02 00 10
bw 11 0 1000 |
