Code: char k_path[0x100]; int64_t max_len = fuword64(max_len_ptr); if (path_len <= max_len) { copyout(k_path, out_path, path_len); } else { copyout(k_path, out_path, max_len - 1); }

Update

Code: // <6.00 bug (not exploitable) found by TheFloW, JS adaptation by CelesteBlue only useful for when we find an actual vulnerable syscall var try_sys_randomized_path_leak = function() { var mem = p.malloc(0x1000000); // allocate buffer alert(p.hexdump(mem, 0x500)); // display zeroed buffer var len_pointer = p.malloc(0x08); // allocate length p.write8(len_pointer, new int64(0, 2147483648)); // write length: 0x8000000000000000 alert(p.hexdump(len_pointer, 8)); // display length alert(p.syscall("sys_randomized_path", 0, mem, len_pointer)); // trigger bug alert(p.hexdump(mem, 0x500)); // display buffer, should have been modified if success };

Awhile back popular PS Vita scene developer TheFloW hinted that he'll be looking at the PS4 kernel in his H-ENcore Write-up , and today he shared on Twitter some details on adiscovered stating it is fxed somewhere between 5.05 and 6.20 OFW... with the PS4 Kernel Exploit 5.05 / 5.07 being the last public jailbreak currently available.PS4 kernel bug: sys_randomized_path could leak arbitrary amount of kernel stack:Unfortunately fixed somewhere between 5.05 and 6.20.: TheFloW said his bug is not exploitable:Nvm this bug is not exploitable, as copyout will simply abort if it dst+len wraps around or is higher than 0x8000000000000000. However, Sony did actually fix it by adding a max_len > 0 check, so I thought it could be abused.From Pastebin.com