11.1.0-34: Difference between revisions

(7 intermediate revisions by 2 users not shown)

Line 18:

====ARM11-kernel====

Exactly 3 functions were updated, these are for [[Memory_Management]]. In the New3DS kernel:

Exactly 3 functions were updated, these are for [[Memory_Management]]. Validation code for [[Memory_Management|memchunk-headers]] was changed. In the New3DS kernel:

* L_fff1aab0, prev ver @ L_fff1aab0.

* L_fff1c730, prev ver @ L_fff1c6f0.

* L_fff26410, prev ver @ L_fff26394.

All three functions now prevent negative chunk sizes to be used, which could have been used with hypotetical kernel-memory-read vulnerabilities to exploit the memory-management code.

The first function ("validateChunk") now makes sure that:

chunk + currentChunkSize >= currentChunk

when checking that the current chunk doesn't overlap with either the previous or next one.

The second function ("Kern::ControlMemory"), aside from other small changes, now makes additional checks on the previously allocated memory chunk; the code for that is now:

if(chunkSizeInPages >= regionSize >> 12 || chunk < regionBase || chunk + chunkSize < chunk || chunk + chunkSize > regionBase + regionSize) panic;

The third function ("insertChunk") now makes the following checks:

if(chunkSizeInPages >= regionSize >> 12 || regionBase + regionSize < chunk + chunkSize) panic;

// ...

if(leftChunk && leftChunk + leftChunkSize <= leftChunk) panic; // this check was already done on 'right'

====FIRM-modules====

Line 46:

Line 63:

* "Pokémon Moon"

~~fs adds a~~ new command ~~0x088600C0 that takes a title-id and an unknown byte (probably media-type?), and returns a bool~~.

A new FSUSER [[FS:CheckUpdatedDat|command]] was added. If the command returns an error, the caller assumes false.

If the command returns an error, the caller assumes false.

All code changes:

Line 62:

Line 78:

Same function also now checks for the "Animal Crossing: New Leaf" title in EUR+JAP+USA, and checks if [[Titles|major-version]] is higher than 3.

If version is <=3, it calls the new fs command ~~0x088600C0~~ with the title-id of the Animal Crossing game.

If version is <=3, it calls the new fs [[FS:CheckUpdatedDat|command]] with the title-id of the Animal Crossing game.

If the new fs command returns true, it returns that the game is not allowed to be launched, otherwise it will launch it despite being too old.

This functionality appears to be for preventing the user from switching from an newer version of the application to an older version, where the newer version isn't released yet at the time the sysupdate was released. The newer version would (presumably) write to savedata [[FS:CheckUpdatedDat|"/updated.dat"]], which would trigger launch-not-allowed if the user tries to run an older version of the application.

The only other changes are for some initialization-related(?) code, which seem to be minor.

====DSP-sysmodule====

The only actual ''code'' change was that the handler function called by the [[DSP:RegisterInterruptEvents]] function was updated. Validation code was added for the input at the beginning of the function.

====friends-sysmodule====

Line 78:

Line 101:

* [https://yls8.mtheall.com/ninupdates/reports.php?date=09-13-16_12-05-19&sys=ctr]

* [https://yls8.mtheall.com/ninupdates/reports.php?date=09-13-16_12-05-28&sys=ktr]

[[Category:Firmware Versions]]

@@ Line 18: / Line 18: @@
 ====ARM11-kernel====
-Exactly 3 functions were updated, these are for [[Memory_Management]]. In the New3DS kernel:
+Exactly 3 functions were updated, these are for [[Memory_Management]]. Validation code for [[Memory_Management|memchunk-headers]] was changed. In the New3DS kernel:
 * L_fff1aab0, prev ver @ L_fff1aab0.
 * L_fff1c730, prev ver @ L_fff1c6f0.
 * L_fff26410, prev ver @ L_fff26394.
+All three functions now prevent negative chunk sizes to be used, which could have been used with hypotetical kernel-memory-read vulnerabilities to exploit the memory-management code.
+The first function ("validateChunk") now makes sure that:
+ chunk + currentChunkSize >= currentChunk
+when checking that the current chunk doesn't overlap with either the previous or next one.
+The second function ("Kern::ControlMemory"), aside from other small changes, now makes additional checks on the previously allocated memory chunk; the code for that is now:
+ if(chunkSizeInPages >= regionSize >> 12 || chunk < regionBase || chunk + chunkSize < chunk || chunk + chunkSize > regionBase + regionSize) panic;
+The third function ("insertChunk") now makes the following checks:
+ if(chunkSizeInPages >= regionSize >> 12 || regionBase + regionSize < chunk + chunkSize) panic;
+ // ...
+ if(leftChunk && leftChunk + leftChunkSize <= leftChunk) panic; // this check was already done on 'right'
 ====FIRM-modules====
@@ Line 46: / Line 63: @@
 * "Pokémon Moon"
-fs adds a new command 0x088600C0 that takes a title-id and an unknown byte (probably media-type?), and returns a bool.
+A new FSUSER [[FS:CheckUpdatedDat|command]] was added. If the command returns an error, the caller assumes false.
-If the command returns an error, the caller assumes false.
 All code changes:
@@ Line 62: / Line 78: @@
 Same function also now checks for the "Animal Crossing: New Leaf" title in EUR+JAP+USA, and checks if [[Titles|major-version]] is higher than 3.
-If version is <=3, it calls the new fs command 0x088600C0 with the title-id of the Animal Crossing game.
+If version is <=3, it calls the new fs [[FS:CheckUpdatedDat|command]] with the title-id of the Animal Crossing game.
 If the new fs command returns true, it returns that the game is not allowed to be launched, otherwise it will launch it despite being too old.
+This functionality appears to be for preventing the user from switching from an newer version of the application to an older version, where the newer version isn't released yet at the time the sysupdate was released. The newer version would (presumably) write to savedata [[FS:CheckUpdatedDat|"/updated.dat"]], which would trigger launch-not-allowed if the user tries to run an older version of the application.
+The only other changes are for some initialization-related(?) code, which seem to be minor.
+====DSP-sysmodule====
+The only actual ''code'' change was that the handler function called by the [[DSP:RegisterInterruptEvents]] function was updated. Validation code was added for the input at the beginning of the function.
 ====friends-sysmodule====
@@ Line 78: / Line 101: @@
 * [https://yls8.mtheall.com/ninupdates/reports.php?date=09-13-16_12-05-19&sys=ctr]
 * [https://yls8.mtheall.com/ninupdates/reports.php?date=09-13-16_12-05-28&sys=ktr]
+[[Category:Firmware Versions]]