Changes

Jump to navigation Jump to search
No change in size ,  20:41, 11 July 2014
m
Sort by version
Line 38: Line 38:  
| The ARM11 kernel-mode 0xEFF00000 virtual-mem(size 0x100000) is mapped to phys-mem 0x1FF00000(entire DSP-mem + entire AXIWRAM), with permissions RW-. This is used during ARM11 kernel startup, this never seems to be used after that however.
 
| The ARM11 kernel-mode 0xEFF00000 virtual-mem(size 0x100000) is mapped to phys-mem 0x1FF00000(entire DSP-mem + entire AXIWRAM), with permissions RW-. This is used during ARM11 kernel startup, this never seems to be used after that however.
 
| None
 
| None
|-
  −
| [[RPC_Command_Structure|Command]] input/output buffer permissions
  −
| Originally the ARM11 kernel didn't check memory permissions for the input/output buffers for commands. Starting with [[4.0.0-7]] the ARM11 kernel will trigger a kernelpanic() if the input/output buffers don't have the required memory permissions. For example, this allowed a FSUSER file-read to .text, which therefore allowed ARM11-userland code execution.
  −
| [[4.0.0-7]]
  −
|-
  −
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions
  −
| svcControlMemory with MemoryOperation=MAP allows mapping the already-mapped process virtual-mem at addr1, to addr0. The lowest address permitted for addr1 is 0x00100000. Originally the ARM11 kernel didn't check memory permissions for addr1. Therefore .text as addr1 could be mapped elsewhere as RW- memory, which allowed ARM11 userland code-execution.
  −
| [[4.1.0-8]]
   
|-
 
|-
 
| [[SVC|svcControlMemory]] Parameter checks
 
| [[SVC|svcControlMemory]] Parameter checks
Line 55: Line 47:     
| [[5.0.0-11]]
 
| [[5.0.0-11]]
|-
  −
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions
  −
| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.
  −
| [[4.0.0-7]]
   
|-
 
|-
 
| [[RPC_Command_Structure|Command]] request/response buffer overflow
 
| [[RPC_Command_Structure|Command]] request/response buffer overflow
Line 65: Line 53:  
If the two words at threadlocalstorage+0x180 could be overwritten with controlled data this way, one could then use a command with a buffer-header of <nowiki>((size<<14) | 2)</nowiki> to write arbitrary memory to any RW userland memory in the destination process.
 
If the two words at threadlocalstorage+0x180 could be overwritten with controlled data this way, one could then use a command with a buffer-header of <nowiki>((size<<14) | 2)</nowiki> to write arbitrary memory to any RW userland memory in the destination process.
 
| [[5.0.0-11]]
 
| [[5.0.0-11]]
 +
|-
 +
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions
 +
| svcControlMemory with MemoryOperation=MAP allows mapping the already-mapped process virtual-mem at addr1, to addr0. The lowest address permitted for addr1 is 0x00100000. Originally the ARM11 kernel didn't check memory permissions for addr1. Therefore .text as addr1 could be mapped elsewhere as RW- memory, which allowed ARM11 userland code-execution.
 +
| [[4.1.0-8]]
 +
|-
 +
| [[RPC_Command_Structure|Command]] input/output buffer permissions
 +
| Originally the ARM11 kernel didn't check memory permissions for the input/output buffers for commands. Starting with [[4.0.0-7]] the ARM11 kernel will trigger a kernelpanic() if the input/output buffers don't have the required memory permissions. For example, this allowed a FSUSER file-read to .text, which therefore allowed ARM11-userland code execution.
 +
| [[4.0.0-7]]
 +
|-
 +
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions
 +
| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.
 +
| [[4.0.0-7]]
 
|}
 
|}
  

Navigation menu