3DS System Flaws: Difference between revisions
| Line 46: | Line 46: | ||
|- | |- | ||
| [[SVC|svcStartInterProcessDma]] | | [[SVC|svcStartInterProcessDma]] | ||
| Originally the ARM11-kernel read the input DmaConfig structure directly in kernel-mode(ldr(b/h) instructions), without checking whether the DmaConfig address is readable under userland. This was fixed by copying that structure to the SVC-mode stack, using the ldrbt instruction. | | For svcStartInterProcessDma, the kernel code had the following flaws: | ||
* Originally the ARM11-kernel read the input DmaConfig structure directly in kernel-mode(ldr(b/h) instructions), without checking whether the DmaConfig address is readable under userland. This was fixed by copying that structure to the SVC-mode stack, using the ldrbt instruction. | |||
* Integer overflows for srcaddr+size and dstaddr+size are now checked(with [[6.0.0-11]]), which were not checked before. | |||
* The kernel now also checks whether the srcaddr/dstaddr(+size) is within userland memory(0x20000000), the kernel now(with [[6.0.0-11]]) returns an error when the address is beyond userland memory. Using an address >=0x20000000 would only result in the kernel reading from the process L1 MMU table, beyond the memory allocated for that MMU table(for vaddr->physaddr conversion), therefore this issue likely(?) wasn't useful. | |||
| [[6.0.0-11]] | | [[6.0.0-11]] | ||
|- | |- | ||