6,263
edits
Changes
Jump to navigation
Jump to search
Line 46:
Line 46: − + + + + + + +
→ARM11 kernel
|-
|-
| [[SVC|svcStartInterProcessDma]]
| [[SVC|svcStartInterProcessDma]]
| Originally the ARM11-kernel read the input DmaConfig structure directly in kernel-mode(ldr(b/h) instructions), without checking whether the DmaConfig address is readable under userland. This was fixed by copying that structure to the SVC-mode stack, using the ldrbt instruction.
| For svcStartInterProcessDma, the kernel code had the following flaws:
* Originally the ARM11-kernel read the input DmaConfig structure directly in kernel-mode(ldr(b/h) instructions), without checking whether the DmaConfig address is readable under userland. This was fixed by copying that structure to the SVC-mode stack, using the ldrbt instruction.
* Integer overflows for srcaddr+size and dstaddr+size are now checked(with [[6.0.0-11]]), which were not checked before.
* The kernel now also checks whether the srcaddr/dstaddr(+size) is within userland memory(0x20000000), the kernel now(with [[6.0.0-11]]) returns an error when the address is beyond userland memory. Using an address >=0x20000000 would only result in the kernel reading from the process L1 MMU table, beyond the memory allocated for that MMU table(for vaddr->physaddr conversion), therefore this issue likely(?) wasn't useful.
| [[6.0.0-11]]
| [[6.0.0-11]]
|-
|-