3DS System Flaws: Difference between revisions
→Kernel11: Multiple KLinkedListNode SlabHeap use after free bugs |
|||
| Line 265: | Line 265: | ||
| February 2014 | | February 2014 | ||
| [[User:Yellows8|Yellows8]] | | [[User:Yellows8|Yellows8]] | ||
|- | |||
| Multiple [[KLinkedListNode|KLinkedListNode]] SlabHeap use after free bugs | |||
| The ARM11-kernel did access the 'key' field of [[KLinkedListNode|KLinkedListNode]] objects, which are located on the SlabHeap, after freeing them. Thus, triggering an allocation of a new [[KLinkedListNode|KLinkedListNode]] object at the right time could result in a type-confusion. Pseudo-code: | |||
SlabHeap_free(KLinkedListNode); | |||
KObject *obj = KLinkedListNode->key; // the object there might have changed! | |||
This bug appeared all over the place. | |||
| ARM11-kernelmode code exec maybe | |||
| [[8.0.0-18|8.0.0-18]] | |||
| | |||
| April 2015 | |||
| [[User:Derrek|derrek]] | |||
|- | |- | ||
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions | | PXI [[RPC_Command_Structure|Command]] input/output buffer permissions | ||