Changes

104 bytes added ,  01:51, 3 February 2015
Line 44: Line 44:  
!  Discovered by
 
!  Discovered by
 
|-
 
|-
| firmlaunch-haxx: FIRM header ToCToU
+
| firmlaunch-hax: FIRM header ToCToU
 
| This can't be exploited from ARM11 userland.
 
| This can't be exploited from ARM11 userland.
 
During [[FIRM]] launch, the only FIRM header the ARM9 uses at all is stored in FCRAM, this is 0x200-bytes(the actual used FIRM RSA signature is read to the Process9 stack however). The ARM9 doesn't expect "anything" besides the ARM9 to access this data.
 
During [[FIRM]] launch, the only FIRM header the ARM9 uses at all is stored in FCRAM, this is 0x200-bytes(the actual used FIRM RSA signature is read to the Process9 stack however). The ARM9 doesn't expect "anything" besides the ARM9 to access this data.
 +
With [[9.5.0-22]] the address of this FIRM header was changed from a FCRAM address, to ARM9-only address 0x01fffc00.
 
| ARM9 code execution
 
| ARM9 code execution
| None
+
| [[9.5.0-22]]
| [[9.3.0-21|9.3.0-X]]
+
|
 
| 2012, 3 days after [[User:Yellows8|Yellows8]] started Process9 code RE.
 
| 2012, 3 days after [[User:Yellows8|Yellows8]] started Process9 code RE.
 
| [[User:Yellows8|Yellows8]]
 
| [[User:Yellows8|Yellows8]]