3dbrew

Changes

3DS System Flaws (edit)

Revision as of 20:22, 15 January 2015

739 bytes added ,  20:22, 15 January 2015
→‎ARM11 kernel
Line 105: Line 105:  
|  
 
|  
 
| None
 
| None
| [[9.3.0-21|9.3.0-21]]
+
| [[9.3.0-21|9.3.0-X]]
 
|  
 
|  
 
|  
 
|  
 
|-
 
|-
|  
+
| memchunkhax
|  
+
| The kernel originally did not validate the data stored in the FCRAM kernel heap memchunk-headers for free-memory at all. Exploiting this requires raw R/W access to these memchunk-headers, like physical-memory access with gspwn.
 +
 
 +
There are ''multiple'' ways to exploit this, but the end-result for most of these is the same: overwrite code in AXIWRAM via the 0xEFF00000/0xDFF00000 kernel virtual-memory mapping.
 +
 
 +
This was fixed in [[9.3.0-21|9.3.0-X]] by checking that the memchunk(including size, next, and prev ptrs) is located within the currently used heap memory. The kernel may also check that the next/prev ptrs are valid compared to other memchunk-headers basically. When any of these checks fail, kernelpanic() is called.
 
| When combined with other flaws: ARM11-kernelmode code execution
 
| When combined with other flaws: ARM11-kernelmode code execution
 
| [[9.3.0-21|9.3.0-21]]
 
| [[9.3.0-21|9.3.0-21]]
Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/11460"