Changes

Jump to navigation Jump to search

3DS System Flaws (edit)

Revision as of 14:57, 24 November 2018

870 bytes added ,  14:57, 24 November 2018
no edit summary
Line 952: Line 952:  
!  Timeframe this was added to wiki
 
!  Timeframe this was added to wiki
 
!  Discovered by
 
!  Discovered by
 +
|-
 +
| [[Config_Services|CFG]]:CreateConfigInfoBlk integer underflow
 +
| When creating a new block it checks the size of the block is <= 0x8000, but it doesn't check that the block size is less than the remaining space. This induces an integer underflow (remaining_space-block_size), the result is then used for another check (buf_start+current_offset+constant <= remaining_space-block_size) and then in a mempcy call (dest = buf_start+(u16)(remaining_space-block_size), size =block_size). This allow for writing past the buffer, however because of the u16 cast in the memcpy call memory has to be mapped from buf_start to buf_start+0x10000 (cannot write backward).
 +
| Theoritically ROP under CFG services, but BSS section is to small (size <= 0x10000) so it only results in a crash.
 +
| None
 +
| [[11.8.0-41]]
 +
| November, 2018
 +
| November 24, 2018
 +
| [[User:Nba_Yoh|MrNbaYoh]]
 +
|-
 
|-
 
|-
 
| [[MP:SendDataFrame]] missing input array index validation
 
| [[MP:SendDataFrame]] missing input array index validation
Nba Yoh
28

edits

Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/20858"

Navigation menu