3DS System Flaws: Difference between revisions
→Kernel11: table says FIRM version, not full system version |
|||
| Line 620: | Line 620: | ||
! Timeframe this was added to wiki | ! Timeframe this was added to wiki | ||
! Discovered by | ! Discovered by | ||
|- | |||
| [[MVD_Services|MVD]]: Stack buffer overflow with [[MVDSTD:SetupOutputBuffers]]. | |||
| The input total_entries is not validated when initially processing the input entry-list. This fixed-size input entry-list is copied to stack from the command request. The loop for processing this initializes a global table, the converted linearmem->physaddrs used there are also copied to stack(0x8-bytes of physaddrs per entry). | |||
If total_entries is too large, MVD-sysmodule will crash due to reading unmapped memory following the stack(0x10000000). Afterwards if the out-of-bounds total_entries is smaller than that, it will crash due accessing address 0x0, hence this useless. | |||
| MVD-sysmodule crash. | |||
| None | |||
| [[9.0.0-20]] | |||
| April 22, 2016 (Tested on the 25th) | |||
| April 25, 2016 | |||
| [[User:Yellows8|Yellows8]] | |||
|- | |- | ||
| [[NWM_Services|NWM]]: Using CTRSDK heap with UDS sharedmem from the user-process. | | [[NWM_Services|NWM]]: Using CTRSDK heap with UDS sharedmem from the user-process. | ||