869
edits
Changes
Jump to navigation
Jump to search
Line 68:
Line 68: + + + +
→ARM11 kernel
If the two words at threadlocalstorage+0x180 could be overwritten with controlled data this way, one could then use a command with a buffer-header of <nowiki>((size<<14) | 2)</nowiki> to write arbitrary memory to any RW userland memory in the destination process.
If the two words at threadlocalstorage+0x180 could be overwritten with controlled data this way, one could then use a command with a buffer-header of <nowiki>((size<<14) | 2)</nowiki> to write arbitrary memory to any RW userland memory in the destination process.
| [[5.0.0-11]]
|-
| [[SVC|SVC stack allocation overflows]]
| svcSetResourceLimitValues, svcGetThreadList, svcGetProcessList, svcReplyAndReceive, svcWaitSynchronizationN only checked bit31 before multiplying by 4/16. If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack. It might allow for arbitrary kernel code execution.
| [[5.0.0-11]]
| [[5.0.0-11]]
|-
|-