3DS System Flaws: Difference between revisions
SPI lenny →Standalone Sysmodules |
New 0day. By the way this was fixed in Luma3DS's reimpl since 2017 →FIRM Sysmodules |
||
| Line 934: | Line 934: | ||
| [[User:Yellows8|Yellows8]] | | [[User:Yellows8|Yellows8]] | ||
|- | |- | ||
| [[SM]] | | Useless [[SM]] off-by-one write | ||
| After accepting a new session, [[SM]] writes a (handler ID (0 for srv: sessions (max. 64), 1 for the srv:pm one), pointer to session context structure in BSS) pair in a global array. However that array is only 64-entry-big instead of 65 (as it ought to be), and no bound check is done in that regard. | | After accepting a new session, [[SM]] writes a (handler ID (0 for srv: sessions (max. 64), 1 for the srv:pm one), pointer to session context structure in BSS) pair in a global array. However that array is only 64-entry-big instead of 65 (as it ought to be), and no bound check is done in that regard. | ||
| Line 943: | Line 943: | ||
| | | | ||
| | | | ||
|- | |||
| smpwn | |||
| When registering a new service (or "port"), no bound checks are done on the service table. One can simply call RegisterPort repeatedly to overflow that table: it will overflow into the command replay structure. | |||
Combined with a other minor bugs in the sysmodule, it is possible to take over [[SM]] with this nevertheless difficult-to-exploit vulnerability. | |||
| Code execution under [[SM]], etc. | |||
| None | |||
| [[11.14.0-46]] | |||
| July 2017 | |||
| [[User:TuxSH|TuxSH]] (independently), presumably ichfly before | |||
|} | |} | ||