Changes

493 bytes added ,  20:28, 10 December 2014
no edit summary
Line 44: Line 44:  
!  Fixed in system version
 
!  Fixed in system version
 
!  Last FIRM version this was flaw was checked for
 
!  Last FIRM version this was flaw was checked for
 +
!  Timeframe this was discovered
 
|-
 
|-
 
|  [[SVC]] table too small
 
|  [[SVC]] table too small
Line 51: Line 52:  
|  None
 
|  None
 
| [[9.3.0-21|9.3.0]]
 
| [[9.3.0-21|9.3.0]]
 +
| 2012
 
|-
 
|-
 
|  [[SVC|svcBackdoor (0x7B)]]
 
|  [[SVC|svcBackdoor (0x7B)]]
Line 61: Line 63:  
| None
 
| None
 
| [[9.3.0-21|9.3.0]]
 
| [[9.3.0-21|9.3.0]]
 +
|
 +
|-
 +
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions
 +
| Originally the ARM11-kernel didn't check permissions for PXI input/output buffers for commands. Starting with [[6.0.0-11|6.0.0]] PXI input/output buffers must have RW permissions, otherwise kernelpanic is triggered.
 +
| [[6.0.0-11|6.0.0]]
 +
|
 +
| 2012
 
|-
 
|-
 
| [[SVC|svcStartInterProcessDma]]
 
| [[SVC|svcStartInterProcessDma]]
Line 72: Line 81:  
| [[6.0.0-11]]
 
| [[6.0.0-11]]
 
|  
 
|  
 +
| DmaConfig issue: unknown. The rest: 2014
 
|-
 
|-
 
| [[SVC|svcControlMemory]] Parameter checks
 
| [[SVC|svcControlMemory]] Parameter checks
Line 89: Line 99:  
| [[5.0.0-11]]
 
| [[5.0.0-11]]
 
|  
 
|  
 +
| v4.1 FIRM -> v5.0 code diff
 
|-
 
|-
 
| [[SVC|SVC stack allocation overflows]]
 
| [[SVC|SVC stack allocation overflows]]
 
|  
 
|  
 
* Syscalls that allocate a variable-length array on stack, only checked bit31 before multiplying by 4/16 (when calculating how much memory to allocate). If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack resulting in a buffer overrun.  
 
* Syscalls that allocate a variable-length array on stack, only checked bit31 before multiplying by 4/16 (when calculating how much memory to allocate). If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack resulting in a buffer overrun.  
* The alignment (size+7)&~7 calucation before allocation was not checked for integer overflow.
+
* The alignment (size+7)&~7 calculation before allocation was not checked for integer overflow.
    
This might allow for ARM11 kernel code-execution.
 
This might allow for ARM11 kernel code-execution.
Line 100: Line 111:  
| [[5.0.0-11]]
 
| [[5.0.0-11]]
 
|  
 
|  
 +
| v4.1 FIRM -> v5.0 code diff
 
|-
 
|-
 
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions
 
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions
Line 105: Line 117:  
| [[4.1.0-8]]
 
| [[4.1.0-8]]
 
|  
 
|  
 +
| 2012
 
|-
 
|-
 
| [[RPC_Command_Structure|Command]] input/output buffer permissions
 
| [[RPC_Command_Structure|Command]] input/output buffer permissions
Line 110: Line 123:  
| [[4.0.0-7]]
 
| [[4.0.0-7]]
 
|  
 
|  
 +
| 2012
 
|-
 
|-
 
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions
 
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions
Line 115: Line 129:  
| [[4.0.0-7]]
 
| [[4.0.0-7]]
 
|  
 
|  
 +
| 2012?
 
|}
 
|}