3DS System Flaws: Difference between revisions
EvilFlight (talk | contribs) No edit summary |
No edit summary |
||
| Line 952: | Line 952: | ||
! Timeframe this was added to wiki | ! Timeframe this was added to wiki | ||
! Discovered by | ! Discovered by | ||
|- | |||
| [[Config_Services|CFG]]:CreateConfigInfoBlk integer underflow | |||
| When creating a new block it checks the size of the block is <= 0x8000, but it doesn't check that the block size is less than the remaining space. This induces an integer underflow (remaining_space-block_size), the result is then used for another check (buf_start+current_offset+constant <= remaining_space-block_size) and then in a mempcy call (dest = buf_start+(u16)(remaining_space-block_size), size =block_size). This allow for writing past the buffer, however because of the u16 cast in the memcpy call memory has to be mapped from buf_start to buf_start+0x10000 (cannot write backward). | |||
| Theoritically ROP under CFG services, but BSS section is to small (size <= 0x10000) so it only results in a crash. | |||
| None | |||
| [[11.8.0-41]] | |||
| November, 2018 | |||
| November 24, 2018 | |||
| [[User:Nba_Yoh|MrNbaYoh]] | |||
|- | |||
|- | |- | ||
| [[MP:SendDataFrame]] missing input array index validation | | [[MP:SendDataFrame]] missing input array index validation | ||