6,264
edits
Changes
Jump to navigation
Jump to search
Line 50:
Line 50: + + + + + + + + + + + +
→System flaws
| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.
| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.
| [[4.0.0-7]]
| [[4.0.0-7]]
|}
=== FIRM ARM11 modules ===
{| class="wikitable" border="1"
|-
! Summary
! Description
! Fixed in system version
|-
| [[Services|"srv:pm"]] process registration
| Originally the service-manager didn't restrict the number of sessions for "srv:pm". The processIDs used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", which therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list. This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] the service-manager will execute [[SVC|svcBreak]] when another session for "srv:pm" is attempting to be opened after the [[Process_Manager_Services|initial]] session. This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).
| [[7.0.0-13]]
|}
|}