Changes

3DS System Flaws (edit)

Revision as of 11:46, 19 December 2016

162 bytes added , 11:46, 19 December 2016

m

→‎Kernel11

Line 439: Line 439:

| '''This is completely different from the kernelmode-code-execution vuln described in the below separate entry.'''

−

When updating the kernel global PID counter under [[SVC|svcCreateProcess]] the kernel does not check for wraparound to 0x0(the PID for the very first process). This only matters because [[Services|SM-module]] allows processes with PID value less than <total ARM11 FIRM modules> to access ''all'' services, without checking exheader service-access-control. This alone does not affect access to [[SVC|SVCs]] at all.

+

When updating the kernel global PID counter under [[SVC|svcCreateProcess]] the kernel does not check for wraparound to 0x0(the PID for the very first process). This only matters because [[Services|SM-module]] allows processes with PID value less than <total ARM11 FIRM modules> to access ''all'' services, without checking exheader service-access-control; and because Kernel11 checks for the PID to be 1 (loader) to use the input mem-region value on ControlMemory. This alone does not affect access the [[SVC|SVCs]] access table at all.

Inlined ldrex+strex code is used for updating the above counter. [[11.2.0-35|11.2.0-X]] had changes for similar code, but it was only for dedicated ldrex+strex functions(mainly for kernel objects) and hence this PID code was not affected.

With launching+terminating a sysmodule repeatedly with this via ns:s, it would take weeks to finish(if not at least about a month?).

−

| Access to all [[Services_API|services]].

+

| Access to all [[Services_API|services]], ControlMemory on any given mem-region.

| None

| [[11.2.0-35|11.2.0-X]]

Mrrraou

19

edits