11.1.0-34: Difference between revisions

(4 intermediate revisions by 2 users not shown)

Line 18:

====ARM11-kernel====

Exactly 3 functions were updated, these are for [[Memory_Management]]. In the New3DS kernel:

Exactly 3 functions were updated, these are for [[Memory_Management]]. Validation code for [[Memory_Management|memchunk-headers]] was changed. In the New3DS kernel:

* L_fff1aab0, prev ver @ L_fff1aab0.

* L_fff1c730, prev ver @ L_fff1c6f0.

* L_fff26410, prev ver @ L_fff26394.

All three functions now prevent negative chunk sizes to be used, which could have been used with hypotetical kernel-memory-read vulnerabilities to exploit the memory-management code.

The first function ("validateChunk") now makes sure that:

chunk + currentChunkSize >= currentChunk

when checking that the current chunk doesn't overlap with either the previous or next one.

The second function ("Kern::ControlMemory"), aside from other small changes, now makes additional checks on the previously allocated memory chunk; the code for that is now:

if(chunkSizeInPages >= regionSize >> 12 || chunk < regionBase || chunk + chunkSize < chunk || chunk + chunkSize > regionBase + regionSize) panic;

The third function ("insertChunk") now makes the following checks:

if(chunkSizeInPages >= regionSize >> 12 || regionBase + regionSize < chunk + chunkSize) panic;

// ...

if(leftChunk && leftChunk + leftChunkSize <= leftChunk) panic; // this check was already done on 'right'

====FIRM-modules====

Line 67:

Line 84:

The only other changes are for some initialization-related(?) code, which seem to be minor.

====DSP-sysmodule====

The only actual ''code'' change was that the handler function called by the [[DSP:RegisterInterruptEvents]] function was updated. Validation code was added for the input at the beginning of the function.

====friends-sysmodule====

Line 81:

Line 101:

* [https://yls8.mtheall.com/ninupdates/reports.php?date=09-13-16_12-05-19&sys=ctr]

* [https://yls8.mtheall.com/ninupdates/reports.php?date=09-13-16_12-05-28&sys=ktr]

[[Category:Firmware Versions]]

@@ Line 18: / Line 18: @@
 ====ARM11-kernel====
-Exactly 3 functions were updated, these are for [[Memory_Management]]. In the New3DS kernel:
+Exactly 3 functions were updated, these are for [[Memory_Management]]. Validation code for [[Memory_Management|memchunk-headers]] was changed. In the New3DS kernel:
 * L_fff1aab0, prev ver @ L_fff1aab0.
 * L_fff1c730, prev ver @ L_fff1c6f0.
 * L_fff26410, prev ver @ L_fff26394.
+All three functions now prevent negative chunk sizes to be used, which could have been used with hypotetical kernel-memory-read vulnerabilities to exploit the memory-management code.
+The first function ("validateChunk") now makes sure that:
+ chunk + currentChunkSize >= currentChunk
+when checking that the current chunk doesn't overlap with either the previous or next one.
+The second function ("Kern::ControlMemory"), aside from other small changes, now makes additional checks on the previously allocated memory chunk; the code for that is now:
+ if(chunkSizeInPages >= regionSize >> 12 || chunk < regionBase || chunk + chunkSize < chunk || chunk + chunkSize > regionBase + regionSize) panic;
+The third function ("insertChunk") now makes the following checks:
+ if(chunkSizeInPages >= regionSize >> 12 || regionBase + regionSize < chunk + chunkSize) panic;
+ // ...
+ if(leftChunk && leftChunk + leftChunkSize <= leftChunk) panic; // this check was already done on 'right'
 ====FIRM-modules====
@@ Line 67: / Line 84: @@
 The only other changes are for some initialization-related(?) code, which seem to be minor.
+====DSP-sysmodule====
+The only actual ''code'' change was that the handler function called by the [[DSP:RegisterInterruptEvents]] function was updated. Validation code was added for the input at the beginning of the function.
 ====friends-sysmodule====
@@ Line 81: / Line 101: @@
 * [https://yls8.mtheall.com/ninupdates/reports.php?date=09-13-16_12-05-19&sys=ctr]
 * [https://yls8.mtheall.com/ninupdates/reports.php?date=09-13-16_12-05-28&sys=ktr]
+[[Category:Firmware Versions]]