3DS System Flaws: Difference between revisions
Slashmolder (talk | contribs) |
No edit summary |
||
| Line 122: | Line 122: | ||
| 2013? | | 2013? | ||
| [[User:Yellows8|Yellows8]] | | [[User:Yellows8|Yellows8]] | ||
|- | |||
| [[PXI_Registers|PXI]] cmdbuf buffer overrun | |||
| The Process9 code responsible [[PXI_Registers|PXI]] communications didn't verify the size of the incoming command before writing it to a C++ member variable. | |||
| Probably ARM9 code execution | |||
| [[5.0.0-11|5.0.0-11]] | |||
| | |||
| March 2015 | |||
| plutoo/[[User:Yellows8|Yellows8]] | |||
|- | |- | ||
| [[Application_Manager_Services_PXI|PXIAM]] command 0x003D0108(See also [[Application_Manager_Services|this]]) | | [[Application_Manager_Services_PXI|PXIAM]] command 0x003D0108(See also [[Application_Manager_Services|this]]) | ||
| Line 139: | Line 147: | ||
| 2012 | | 2012 | ||
| [[User:Yellows8|Yellows8]] | | [[User:Yellows8|Yellows8]] | ||
|- | |||
| [[PXI_Registers|PXI]] pxi_id bad check | |||
| The Process9 code responsible for [[PXI_Registers|PXI]] communications read pxi_id as a signed char. There were two flaws: | |||
* They used it as index to a lookup-table without checking the value at all. | |||
* Another function verified that pxi_id < 7, allowing negative values to pass the check. This would also cause an out-of-range table-lookup. | |||
| Maybe ARM9 code execution | |||
| [[3.0.0-5|3.0.0-5]] | |||
| | |||
| March 2015 | |||
| plutoo/[[User:Yellows8|Yellows8]] | |||
|} | |} | ||