Changes

772 bytes added ,  21:21, 10 July 2014
Line 31: Line 31:  
!  Fixed in system version
 
!  Fixed in system version
 
|-
 
|-
|  [[SVC|svc7b]]
+
|  [[SVC|svcBackdoor (0x7B)]]
 
|  This backdoor allows executing SVC-mode code at the user-specified code-address. This is used by Process9, using this on the ARM11(with NATIVE_FIRM) requires patching the kernel .text or modifying SVC-access-control.
 
|  This backdoor allows executing SVC-mode code at the user-specified code-address. This is used by Process9, using this on the ARM11(with NATIVE_FIRM) requires patching the kernel .text or modifying SVC-access-control.
 
|  None
 
|  None
Line 46: Line 46:  
| svcControlMemory with MemoryOperation=MAP allows mapping the already-mapped process virtual-mem at addr1, to addr0. The lowest address permitted for addr1 is 0x00100000. Originally the ARM11 kernel didn't check memory permissions for addr1. Therefore .text as addr1 could be mapped elsewhere as RW- memory, which allowed ARM11 userland code-execution.
 
| svcControlMemory with MemoryOperation=MAP allows mapping the already-mapped process virtual-mem at addr1, to addr0. The lowest address permitted for addr1 is 0x00100000. Originally the ARM11 kernel didn't check memory permissions for addr1. Therefore .text as addr1 could be mapped elsewhere as RW- memory, which allowed ARM11 userland code-execution.
 
| [[4.1.0-8]]
 
| [[4.1.0-8]]
 +
|-
 +
| [[SVC|svcControlMemory]] Parameter checks
 +
| For svcControlMemory the parameter check had these two flaws:
 +
 +
* The allowed range for addr0, addr1, size parameters depends on which MemoryOperation is being specified. The limitation for GSP heap was only checked if op=(u32)0x10003. By setting a random bit in op that has no meaning (like bit17?), op would instead be (u32)0x30003, and the range-check would be less strict and not accurate. This ''might'' have allowed any process to RW map for PA 0x14000000-0x28000000 using the LINEAR flag, and thereby RW access to entire kernel memory giving ARM11 kernel code-execution.
 +
 +
* Integer overflows on (addr0+size) are now checked that previously weren't.
 +
 +
| Observed fixed in 7.0. Observed vulnerable in 4.0.
 
|-
 
|-
 
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions
 
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions