Changes

3DS System Flaws (edit)

Revision as of 02:00, 11 July 2014

873 bytes added , 02:00, 11 July 2014

→‎ARM11 kernel

Line 39: Line 39:

| None

|-

−

| [[~~Services_API~~|Command]] input/output buffer permissions

+

| [[RPC_Command_Structure|Command]] input/output buffer permissions

| Originally the ARM11 kernel didn't check memory permissions for the input/output buffers for commands. Starting with [[4.0.0-7]] the ARM11 kernel will trigger a kernelpanic() if the input/output buffers don't have the required memory permissions. For example, this allowed a FSUSER file-read to .text, which therefore allowed ARM11-userland code execution.

| [[4.0.0-7]]

Line 59: Line 59:

| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.

| [[4.0.0-7]]

+

|-

+

| [[RPC_Command_Structure|Command]] request/response buffer overflow

+

| Originally the kernel did not check the word-values from the command-header. Starting with [[5.0.0-11]], the kernel will trigger a kernelpanic() when the total word-size of the entire command(including the cmd-header) is larger than 0x40-words(0x100-bytes). This allows overwriting threadlocalstorage+0x180 in the destination thread, however since the data written there would be translate parameters(such as header-words + buffer addresses), exploiting this would likely be very difficult if possible at all.

+

If the two words at threadlocalstorage+0x180 could be overwritten with controlled data this way, one could then use a command with a buffer-header of <nowiki>((size<<14) | 2)</nowiki> to write arbitrary memory to any RW userland memory in the destination process.

+

| [[5.0.0-11]]

|}

Yellows8

Bureaucrats, Administrators

6,264

edits