3DS System Flaws: Difference between revisions
No edit summary |
|||
| Line 44: | Line 44: | ||
! Fixed in system version | ! Fixed in system version | ||
! Last FIRM version this was flaw was checked for | ! Last FIRM version this was flaw was checked for | ||
! Timeframe this was discovered | |||
|- | |- | ||
| [[SVC]] table too small | | [[SVC]] table too small | ||
| Line 51: | Line 52: | ||
| None | | None | ||
| [[9.3.0-21|9.3.0]] | | [[9.3.0-21|9.3.0]] | ||
| 2012 | |||
|- | |- | ||
| [[SVC|svcBackdoor (0x7B)]] | | [[SVC|svcBackdoor (0x7B)]] | ||
| Line 61: | Line 63: | ||
| None | | None | ||
| [[9.3.0-21|9.3.0]] | | [[9.3.0-21|9.3.0]] | ||
| | |||
|- | |||
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions | |||
| Originally the ARM11-kernel didn't check permissions for PXI input/output buffers for commands. Starting with [[6.0.0-11|6.0.0]] PXI input/output buffers must have RW permissions, otherwise kernelpanic is triggered. | |||
| [[6.0.0-11|6.0.0]] | |||
| | |||
| 2012 | |||
|- | |- | ||
| [[SVC|svcStartInterProcessDma]] | | [[SVC|svcStartInterProcessDma]] | ||
| Line 72: | Line 81: | ||
| [[6.0.0-11]] | | [[6.0.0-11]] | ||
| | | | ||
| DmaConfig issue: unknown. The rest: 2014 | |||
|- | |- | ||
| [[SVC|svcControlMemory]] Parameter checks | | [[SVC|svcControlMemory]] Parameter checks | ||
| Line 89: | Line 99: | ||
| [[5.0.0-11]] | | [[5.0.0-11]] | ||
| | | | ||
| v4.1 FIRM -> v5.0 code diff | |||
|- | |- | ||
| [[SVC|SVC stack allocation overflows]] | | [[SVC|SVC stack allocation overflows]] | ||
| | | | ||
* Syscalls that allocate a variable-length array on stack, only checked bit31 before multiplying by 4/16 (when calculating how much memory to allocate). If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack resulting in a buffer overrun. | * Syscalls that allocate a variable-length array on stack, only checked bit31 before multiplying by 4/16 (when calculating how much memory to allocate). If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack resulting in a buffer overrun. | ||
* The alignment (size+7)&~7 | * The alignment (size+7)&~7 calculation before allocation was not checked for integer overflow. | ||
This might allow for ARM11 kernel code-execution. | This might allow for ARM11 kernel code-execution. | ||
| Line 100: | Line 111: | ||
| [[5.0.0-11]] | | [[5.0.0-11]] | ||
| | | | ||
| v4.1 FIRM -> v5.0 code diff | |||
|- | |- | ||
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions | | [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions | ||
| Line 105: | Line 117: | ||
| [[4.1.0-8]] | | [[4.1.0-8]] | ||
| | | | ||
| 2012 | |||
|- | |- | ||
| [[RPC_Command_Structure|Command]] input/output buffer permissions | | [[RPC_Command_Structure|Command]] input/output buffer permissions | ||
| Line 110: | Line 123: | ||
| [[4.0.0-7]] | | [[4.0.0-7]] | ||
| | | | ||
| 2012 | |||
|- | |- | ||
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions | | [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions | ||
| Line 115: | Line 129: | ||
| [[4.0.0-7]] | | [[4.0.0-7]] | ||
| | | | ||
| 2012? | |||
|} | |} | ||