3DS System Flaws: Difference between revisions
| Line 105: | Line 105: | ||
| | | | ||
| None | | None | ||
| [[9.3.0-21|9.3.0- | | [[9.3.0-21|9.3.0-X]] | ||
| | | | ||
| | | | ||
|- | |- | ||
| | | memchunkhax | ||
| | | The kernel originally did not validate the data stored in the FCRAM kernel heap memchunk-headers for free-memory at all. Exploiting this requires raw R/W access to these memchunk-headers, like physical-memory access with gspwn. | ||
There are ''multiple'' ways to exploit this, but the end-result for most of these is the same: overwrite code in AXIWRAM via the 0xEFF00000/0xDFF00000 kernel virtual-memory mapping. | |||
This was fixed in [[9.3.0-21|9.3.0-X]] by checking that the memchunk(including size, next, and prev ptrs) is located within the currently used heap memory. The kernel may also check that the next/prev ptrs are valid compared to other memchunk-headers basically. When any of these checks fail, kernelpanic() is called. | |||
| When combined with other flaws: ARM11-kernelmode code execution | | When combined with other flaws: ARM11-kernelmode code execution | ||
| [[9.3.0-21|9.3.0-21]] | | [[9.3.0-21|9.3.0-21]] | ||