3dbrew

Changes

3DS System Flaws (edit)

Revision as of 21:32, 29 July 2014

247 bytes added ,  21:32, 29 July 2014
no edit summary
Line 71: Line 71:  
|-
 
|-
 
| [[SVC|SVC stack allocation overflows]]
 
| [[SVC|SVC stack allocation overflows]]
| svcSetResourceLimitValues, svcGetThreadList, svcGetProcessList, svcReplyAndReceive, svcWaitSynchronizationN only checked bit31 before multiplying by 4/16. If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack. It might allow for arbitrary kernel code execution.
+
|  
 +
* Syscalls that allocate a variable-length array on stack, only checked bit31 before multiplying by 4/16 (when calculating how much memory to allocate). If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack resulting in a buffer overrun.
 +
* The alignment (size+7)&~7 calucation before allocation was not checked for integer overflow.
 +
 
 +
This might allow for ARM11 kernel code-execution.
 +
 
 +
(Applies to svcSetResourceLimitValues, svcGetThreadList, svcGetProcessList, svcReplyAndReceive, svcWaitSynchronizationN.)
 
| [[5.0.0-11]]
 
| [[5.0.0-11]]
 
|-
 
|-
Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/9475"