3DS System Flaws: Difference between revisions

Line 52:

* The allowed range for addr0, addr1, size parameters depends on which MemoryOperation is being specified. The limitation for GSP heap was only checked if op=(u32)0x10003. By setting a random bit in op that has no meaning (like bit17?), op would instead be (u32)0x30003, and the range-check would be less strict and not accurate. This ''might'' have allowed any process to RW map for PA 0x14000000-0x28000000 using the LINEAR flag, and thereby RW access to entire kernel memory giving ARM11 kernel code-execution.

* Integer overflows on (addr0+size) are now checked that previously weren't.

* Integer overflows on (addr0+size) are now checked that previously weren't(this also applies to most other address checks elsewhere in the kernel).

| ~~Somewhere between 4~~.0 ~~and 6.3~~.

| [[5.0.0-11]]

|-

| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions

Line 71:

| Originally any process had access to the port "srv:pm". The PID's used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", and therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list.

This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] "srv:pm" is now a service instead of a globally accessible port. Only processes with PID's less than 6 (in other words: fs, ldr, sm, pm, pxi modules) have access to it.

This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] "srv:pm" is now a service instead of a globally accessible port. Only processes with PID's less than 6 (in other words: fs, ldr, sm, pm, pxi modules) have access to it. With [[7.0.0-13]] there can only be one session for "srv:pm" open at a time(this is used by pm module), svcBreak will be executed if more sessions are opened by the processes which can access this.

This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).

| [[7.0.0-13]]

|}

@@ Line 52: / Line 52: @@
 * The allowed range for addr0, addr1, size parameters depends on which MemoryOperation is being specified. The limitation for GSP heap was only checked if op=(u32)0x10003. By setting a random bit in op that has no meaning (like bit17?), op would instead be (u32)0x30003, and the range-check would be less strict and not accurate. This ''might'' have allowed any process to RW map for PA 0x14000000-0x28000000 using the LINEAR flag, and thereby RW access to entire kernel memory giving ARM11 kernel code-execution.
-* Integer overflows on (addr0+size) are now checked that previously weren't.
+* Integer overflows on (addr0+size) are now checked that previously weren't(this also applies to most other address checks elsewhere in the kernel).
-| Somewhere between 4.0 and 6.3.
+| [[5.0.0-11]]
 |-
 | [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions
@@ Line 71: / Line 71: @@
 | Originally any process had access to the port "srv:pm". The PID's used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", and therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list.
-This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] "srv:pm" is now a service instead of a globally accessible port. Only processes with PID's less than 6 (in other words: fs, ldr, sm, pm, pxi modules) have access to it.
+This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] "srv:pm" is now a service instead of a globally accessible port. Only processes with PID's less than 6 (in other words: fs, ldr, sm, pm, pxi modules) have access to it. With [[7.0.0-13]] there can only be one session for "srv:pm" open at a time(this is used by pm module), svcBreak will be executed if more sessions are opened by the processes which can access this.
 This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).
 | [[7.0.0-13]]
 |}