3dbrew

Changes

3DS System Flaws (edit)

Revision as of 04:46, 7 November 2017

787 bytes added ,  04:46, 7 November 2017
→‎Kernel11 just a lame bug I guess
Line 518: Line 518:  
!  Timeframe this was discovered
 
!  Timeframe this was discovered
 
!  Discovered by
 
!  Discovered by
 +
|-
 +
| [[SVC|svcSetProcessIdealProcessor]] reference count overflow and therefore use-after-free.
 +
| The SVC receive two arguments: handle and idealprocessor. The handle is used to get the KProcess object and the KProcess->refCnt gets incremented,later the function check if the KProcess->mem_type != BASE and if yes, it checks for idealprocessor == 2 or idealprocessor != 3. The problem here is that if you pass the idealprocessor = 3 it won't meet any condition and return the error 0xD9001BEA without decrement the reference count.
 +
It can be abused to overflow the KProcess reference count that will lead to an Use-after-free.
 +
| Before [[11.2.0-35|11.2.0-X]]: reference count overflow and therefore use-after-free.
 +
|
 +
| [[11.6.0-39|11.6.0-X]]
 +
| November 2, 2017
 +
| [[User:st4rk|st4rk]]
 
|-
 
|-
 
| [[SVC|svcGetThreadList]] process reference leak
 
| [[SVC|svcGetThreadList]] process reference leak
St4rk
1

edit

Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/20456"