Changes

924 bytes added ,  21:09, 6 July 2014
Line 50: Line 50:  
| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.
 
| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.
 
| [[4.0.0-7]]
 
| [[4.0.0-7]]
 +
|}
 +
 +
=== FIRM ARM11 modules ===
 +
{| class="wikitable" border="1"
 +
|-
 +
!  Summary
 +
!  Description
 +
!  Fixed in system version
 +
|-
 +
| [[Services|"srv:pm"]] process registration
 +
| Originally the service-manager didn't restrict the number of sessions for "srv:pm". The processIDs used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", which therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list. This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] the service-manager will execute [[SVC|svcBreak]] when another session for "srv:pm" is attempting to be opened after the [[Process_Manager_Services|initial]] session. This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).
 +
| [[7.0.0-13]]
 
|}
 
|}