3DS System Flaws: Difference between revisions

Line 39:

| None

|-

| [[~~Services_API~~|Command]] input/output buffer permissions

| [[RPC_Command_Structure|Command]] input/output buffer permissions

| Originally the ARM11 kernel didn't check memory permissions for the input/output buffers for commands. Starting with [[4.0.0-7]] the ARM11 kernel will trigger a kernelpanic() if the input/output buffers don't have the required memory permissions. For example, this allowed a FSUSER file-read to .text, which therefore allowed ARM11-userland code execution.

| [[4.0.0-7]]

Line 59:

| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.

| [[4.0.0-7]]

|-

| [[RPC_Command_Structure|Command]] request/response buffer overflow

| Originally the kernel did not check the word-values from the command-header. Starting with [[5.0.0-11]], the kernel will trigger a kernelpanic() when the total word-size of the entire command(including the cmd-header) is larger than 0x40-words(0x100-bytes). This allows overwriting threadlocalstorage+0x180 in the destination thread, however since the data written there would be translate parameters(such as header-words + buffer addresses), exploiting this would likely be very difficult if possible at all.

If the two words at threadlocalstorage+0x180 could be overwritten with controlled data this way, one could then use a command with a buffer-header of <nowiki>((size<<14) | 2)</nowiki> to write arbitrary memory to any RW userland memory in the destination process.

| [[5.0.0-11]]

|}

@@ Line 39: / Line 39: @@
 | None
 |-
-| [[Services_API|Command]] input/output buffer permissions
+| [[RPC_Command_Structure|Command]] input/output buffer permissions
 | Originally the ARM11 kernel didn't check memory permissions for the input/output buffers for commands. Starting with [[4.0.0-7]] the ARM11 kernel will trigger a kernelpanic() if the input/output buffers don't have the required memory permissions. For example, this allowed a FSUSER file-read to .text, which therefore allowed ARM11-userland code execution.
 | [[4.0.0-7]]
@@ Line 59: / Line 59: @@
 | Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.
 | [[4.0.0-7]]
+|-
+| [[RPC_Command_Structure|Command]] request/response buffer overflow
+| Originally the kernel did not check the word-values from the command-header. Starting with [[5.0.0-11]], the kernel will trigger a kernelpanic() when the total word-size of the entire command(including the cmd-header) is larger than 0x40-words(0x100-bytes). This allows overwriting threadlocalstorage+0x180 in the destination thread, however since the data written there would be translate parameters(such as header-words + buffer addresses), exploiting this would likely be very difficult if possible at all.
+If the two words at threadlocalstorage+0x180 could be overwritten with controlled data this way, one could then use a command with a buffer-header of <nowiki>((size<<14) | 2)</nowiki> to write arbitrary memory to any RW userland memory in the destination process.
+| [[5.0.0-11]]
 |}