3DS System Flaws: Difference between revisions
| Line 620: | Line 620: | ||
| [[10.0.0-27|10.0.0-X]] | | [[10.0.0-27|10.0.0-X]] | ||
| April 8, 2016 (Tested on the 10th) | | April 8, 2016 (Tested on the 10th) | ||
| April 10, 2016 | |||
| [[User:Yellows8|Yellows8]] | |||
|- | |||
| [[DLP_Services|DLP]]: Out-of-bounds output data writing during spectator sysupdate titlelist [[Download_Play|data-frame]] handling | |||
| The total_entries and out_entryindex fields for the titlelist DLP spectator data-frames are not validated. This is parsed during DLP network scanning. Hence, the specified titlelist data can be written out-of-bounds using the specified out_entryindex and total_entries. A crash will occur while reading the input data-frame titlelist if total_entries is larger than 0x27A, due to accessing unmapped memory. | |||
There's not much non-zero data to overwrite following the output buffer(located in sharedmem), any ptrs are located in sharedmem. Overwriting certain ptr(s) are only known to cause a crash when attempting to use the DLP-client shutdown service-command. | |||
There's no known way to exploit the above crash, since the linked-list code involves writes zeros(with a controlled start ptr). | |||
| | |||
| None | |||
| [[10.0.0-27|10.0.0-X]] | |||
| April 8-9, 2016 | |||
| April 10, 2016 | | April 10, 2016 | ||
| [[User:Yellows8|Yellows8]] | | [[User:Yellows8|Yellows8]] | ||