6,264
edits
Changes
Jump to navigation
Jump to search
Line 44:
Line 44: + Line 51:
Line 52: + Line 61:
Line 63: + + + + + + + Line 72:
Line 81: + Line 89:
Line 99: + − + Line 100:
Line 111: + Line 105:
Line 117: + Line 110:
Line 123: + Line 115:
Line 129: +
no edit summary
! Fixed in system version
! Fixed in system version
! Last FIRM version this was flaw was checked for
! Last FIRM version this was flaw was checked for
! Timeframe this was discovered
|-
|-
| [[SVC]] table too small
| [[SVC]] table too small
| None
| None
| [[9.3.0-21|9.3.0]]
| [[9.3.0-21|9.3.0]]
| 2012
|-
|-
| [[SVC|svcBackdoor (0x7B)]]
| [[SVC|svcBackdoor (0x7B)]]
| None
| None
| [[9.3.0-21|9.3.0]]
| [[9.3.0-21|9.3.0]]
|
|-
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions
| Originally the ARM11-kernel didn't check permissions for PXI input/output buffers for commands. Starting with [[6.0.0-11|6.0.0]] PXI input/output buffers must have RW permissions, otherwise kernelpanic is triggered.
| [[6.0.0-11|6.0.0]]
|
| 2012
|-
|-
| [[SVC|svcStartInterProcessDma]]
| [[SVC|svcStartInterProcessDma]]
| [[6.0.0-11]]
| [[6.0.0-11]]
|
|
| DmaConfig issue: unknown. The rest: 2014
|-
|-
| [[SVC|svcControlMemory]] Parameter checks
| [[SVC|svcControlMemory]] Parameter checks
| [[5.0.0-11]]
| [[5.0.0-11]]
|
|
| v4.1 FIRM -> v5.0 code diff
|-
|-
| [[SVC|SVC stack allocation overflows]]
| [[SVC|SVC stack allocation overflows]]
|
|
* Syscalls that allocate a variable-length array on stack, only checked bit31 before multiplying by 4/16 (when calculating how much memory to allocate). If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack resulting in a buffer overrun.
* Syscalls that allocate a variable-length array on stack, only checked bit31 before multiplying by 4/16 (when calculating how much memory to allocate). If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack resulting in a buffer overrun.
* The alignment (size+7)&~7 calucation before allocation was not checked for integer overflow.
* The alignment (size+7)&~7 calculation before allocation was not checked for integer overflow.
This might allow for ARM11 kernel code-execution.
This might allow for ARM11 kernel code-execution.
| [[5.0.0-11]]
| [[5.0.0-11]]
|
|
| v4.1 FIRM -> v5.0 code diff
|-
|-
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions
| [[4.1.0-8]]
| [[4.1.0-8]]
|
|
| 2012
|-
|-
| [[RPC_Command_Structure|Command]] input/output buffer permissions
| [[RPC_Command_Structure|Command]] input/output buffer permissions
| [[4.0.0-7]]
| [[4.0.0-7]]
|
|
| 2012
|-
|-
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions
| [[4.0.0-7]]
| [[4.0.0-7]]
|
|
| 2012?
|}
|}