6,264
edits
Changes
Jump to navigation
Jump to search
Line 105:
Line 105: − + − + − + + + + +
→ARM11 kernel
|
|
| None
| None
| [[9.3.0-21|9.3.0-21]]
| [[9.3.0-21|9.3.0-X]]
|
|
|
|
|-
|-
|
| memchunkhax
|
| The kernel originally did not validate the data stored in the FCRAM kernel heap memchunk-headers for free-memory at all. Exploiting this requires raw R/W access to these memchunk-headers, like physical-memory access with gspwn.
There are ''multiple'' ways to exploit this, but the end-result for most of these is the same: overwrite code in AXIWRAM via the 0xEFF00000/0xDFF00000 kernel virtual-memory mapping.
This was fixed in [[9.3.0-21|9.3.0-X]] by checking that the memchunk(including size, next, and prev ptrs) is located within the currently used heap memory. The kernel may also check that the next/prev ptrs are valid compared to other memchunk-headers basically. When any of these checks fail, kernelpanic() is called.
| When combined with other flaws: ARM11-kernelmode code execution
| When combined with other flaws: ARM11-kernelmode code execution
| [[9.3.0-21|9.3.0-21]]
| [[9.3.0-21|9.3.0-21]]