PS5: SMAP bypass vulnerability disclosed
Security researcher m00nbsd, who specializes in BSD vulnerabilities, has disclosed a SMAP bypass vulnerability through PlayStation’s bug bounty program. The vulnerability could very likely impact the PS5.
Bypassing SMAP in itself is not enough to exploit a console, but it removes a lot of securities of the OS, and makes progress to the next steps of an exploit that much easier.
What is SMAP?
SMAP is a security feature available on some CPUs. From Wikipedia:
Without Supervisor Mode Access Prevention, supervisor code usually has full read and write access to user-space memory mappings (or has the ability to obtain full access). This has led to the development of several security exploits, including privilege escalation exploits, which operate by causing the kernel to access user-space memory when it did not intend to. Operating systems can block these exploits by using SMAP to force unintended user-space memory accesses to trigger page faults. Additionally, SMAP can expose flawed kernel code which does not follow the intended procedures for accessing user-space memory.
How is a SMAP vulnerability relevant to the PS5?
If SMAP can be entirely bypassed through an initial exploit, this means a class of kernel exploits, that would allow the malicious code to access user space memory, could work. This potentially means that a large amount of exploits that are believed to be “hard to achieve” or “fixed” are actually a possibility on the PS5. From the disclosure:
SMAP is a security feature on x86 CPUs, that forbids ring0 from reading/writing to ring3 pages, making it harder to exploit entire classes of vulnerabilities.There is a vulnerability in FreeBSD 12 that allows SMAP to be bypassed by userland. There is a very high probability that it affects the PS5 but I was unable to access a PS5 firmware to confirm it.This vuln downgrades the security properties of the OS, and is a building block for exploitation chains.[…]ImpactUserland can open large windows where the kernel executes with SMAP disabled.Lack of SMAP makes exploitation of common vulnerabilities easy/trivial.
For details on the actual bug/vulnerability, check the disclosure page on HackerOne.