6,264
edits
Changes
→System flaws
Line 50:
Line 50:
| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.
| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.
| [[4.0.0-7]]
| [[4.0.0-7]]
+|}
+
+=== FIRM ARM11 modules ===
+{| class="wikitable" border="1"
+|-
+! Summary
+! Description
+! Fixed in system version
+|-
+| [[Services|"srv:pm"]] process registration
+| Originally the service-manager didn't restrict the number of sessions for "srv:pm". The processIDs used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", which therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list. This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] the service-manager will execute [[SVC|svcBreak]] when another session for "srv:pm" is attempting to be opened after the [[Process_Manager_Services|initial]] session. This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).
+| [[7.0.0-13]]
|}
|}