Changes

Jump to navigation Jump to search

3DS System Flaws (edit)

Revision as of 18:00, 9 May 2015

624 bytes added ,  18:00, 9 May 2015
→‎Kernel11: Multiple KLinkedListNode SlabHeap use after free bugs
Line 265: Line 265:  
| February 2014
 
| February 2014
 
| [[User:Yellows8|Yellows8]]
 
| [[User:Yellows8|Yellows8]]
 +
|-
 +
| Multiple [[KLinkedListNode|KLinkedListNode]] SlabHeap use after free bugs
 +
| The ARM11-kernel did access the 'key' field of [[KLinkedListNode|KLinkedListNode]] objects, which are located on the SlabHeap, after freeing them. Thus, triggering an allocation of a new [[KLinkedListNode|KLinkedListNode]] object at the right time could result in a type-confusion. Pseudo-code:
 +
SlabHeap_free(KLinkedListNode);
 +
KObject *obj = KLinkedListNode->key;  // the object there might have changed!
 +
This bug appeared all over the place.
 +
| ARM11-kernelmode code exec maybe
 +
| [[8.0.0-18|8.0.0-18]]
 +
|
 +
| April 2015
 +
| [[User:Derrek|derrek]]
 
|-
 
|-
 
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions
 
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions
Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/12581"

Navigation menu