3dbrew

3DS System Flaws: Difference between revisions

← Older editNewer edit →
No edit summary
Line 71: Line 71:
|-
|-
| [[SVC|SVC stack allocation overflows]]
| [[SVC|SVC stack allocation overflows]]
| svcSetResourceLimitValues, svcGetThreadList, svcGetProcessList, svcReplyAndReceive, svcWaitSynchronizationN only checked bit31 before multiplying by 4/16. If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack. It might allow for arbitrary kernel code execution.
|  
* Syscalls that allocate a variable-length array on stack, only checked bit31 before multiplying by 4/16 (when calculating how much memory to allocate). If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack resulting in a buffer overrun.
* The alignment (size+7)&~7 calucation before allocation was not checked for integer overflow.
 
This might allow for ARM11 kernel code-execution.
 
(Applies to svcSetResourceLimitValues, svcGetThreadList, svcGetProcessList, svcReplyAndReceive, svcWaitSynchronizationN.)
| [[5.0.0-11]]
| [[5.0.0-11]]
|-
|-
Retrieved from "https://www.3dbrew.org/wiki/3DS_System_Flaws"