KHeapChunkHeader: Difference between revisions

Revision as of 21:37, 27 September 2015

This is the header stored at the beginning of unused blocks of FCRAM memory. The kernel maintains these structures to keep a list of free blocks and their sizes.

By overwriting the pointers in instances of this struct (e.g. using an attack like gspwn) and then (de)allocating memory, one can achieve a controlled ARM11 kernel-mode write on system versions up to 9.2 (memchunkhax).

Size : 0xC bytes?

Offset	Type	Description
0x0	u32	Size in pages
0x4	KHeapHeader*	Next
0x8	KHeapHeader*	Prev

Revision as of 19:25, 27 September 2015 view source Bond697 (talk \| contribs) 374 edits Absolutely fucking not ← Older edit		Revision as of 21:37, 27 September 2015 view source Yuriks (talk \| contribs) 110 edits No edit summary Newer edit →
Line 1:		Line 1:
	This is the header stored in FCRAM ~~for each FCRAM heap chunk~~. The kernel maintains ~~this structure~~.		This is the header stored at the beginning of unused blocks of FCRAM memory. The kernel maintains these structures to keep a list of free blocks and their sizes.

	An attack like gspwn can ~~be used to overwrite instances of this header in order to exploit the~~ ARM11 kernel on system versions ~~below~~ 9.3 ([[3DS_System_Flaws#Kernel11\|memchunkhax]]).		By overwriting the pointers in instances of this struct (e.g. using an attack like gspwn) and then (de)allocating memory, one can achieve a controlled ARM11 kernel-mode write on system versions up to 9.2 ([[3DS_System_Flaws#Kernel11\|memchunkhax]]).

KHeapChunkHeader: Difference between revisions

Revision as of 21:37, 27 September 2015

Navigation menu

Search