3DS System Flaws: Difference between revisions
| Line 518: | Line 518: | ||
! Timeframe this was discovered | ! Timeframe this was discovered | ||
! Discovered by | ! Discovered by | ||
|- | |||
| [[SVC|svcSetProcessIdealProcessor]] reference count overflow and therefore use-after-free. | |||
| The SVC receive two arguments: handle and idealprocessor. The handle is used to get the KProcess object and the KProcess->refCnt gets incremented,later the function check if the KProcess->mem_type != BASE and if yes, it checks for idealprocessor == 2 or idealprocessor != 3. The problem here is that if you pass the idealprocessor = 3 it won't meet any condition and return the error 0xD9001BEA without decrement the reference count. | |||
It can be abused to overflow the KProcess reference count that will lead to an Use-after-free. | |||
| Before [[11.2.0-35|11.2.0-X]]: reference count overflow and therefore use-after-free. | |||
| | |||
| [[11.6.0-39|11.6.0-X]] | |||
| November 2, 2017 | |||
| [[User:st4rk|st4rk]] | |||
|- | |- | ||
| [[SVC|svcGetThreadList]] process reference leak | | [[SVC|svcGetThreadList]] process reference leak | ||