6,264
edits
Changes
Jump to navigation
Jump to search
Line 435:
Line 435: + + + + + + + + + + + + + +
→Kernel11
|
|
| Everyone
| Everyone
|-
| veryslowpidhax
| '''This is completely different from the kernelmode-code-execution vuln described in the below separate entry.'''
When updating the kernel global PID counter under [[SVC|svcCreateProcess]] the kernel does not check for wraparound to 0x0(the PID for the very first process). This only matters because [[Services|SM-module]] allows processes with PID value less than <total ARM11 FIRM modules> to access ''all'' services, without checking exheader service-access-control. This alone does not affect access to [[SVC|SVCs]] at all.
Inlined ldrex+strex code is used for updating the above counter. [[11.2.0-35|11.2.0-X]] had changes for similar code, but it was only for dedicated ldrex+strex functions(mainly for kernel objects) and hence this PID code was not affected.
With launching+terminating a sysmodule repeatedly with this via ns:s, it would take weeks to finish(if not at least about a month?).
| Access to all [[Services_API|services]].
| None
| [[11.2.0-35|11.2.0-X]]
| 2012 maybe?
|
|-
|-
| slowhax
| slowhax