Changes

Jump to navigation Jump to search

3DS System Flaws (edit)

Revision as of 05:28, 23 January 2017

750 bytes added ,  05:28, 23 January 2017
→‎Standalone Sysmodules
Line 754: Line 754:  
!  Timeframe this was added to wiki
 
!  Timeframe this was added to wiki
 
!  Discovered by
 
!  Discovered by
 +
|-
 +
| [[MP:SendDataFrame]] missing input array index validation
 +
| [[MP:SendDataFrame]] doesn't validate the input index at cmdreq[1], unless the function for flag=non-zero is executed. This is used to calculate the following, without validating the index at all: someptr = stateptr + (index*0x924) + somestateoffset.
 +
 +
After validating some flags from someptr, when input_flag=0 the input buffer data is copied to someptr+someotheroffset+0x14 with the u16 size loaded from someptr+someotheroffset.
 +
 +
With a large input index someptr could be setup to be at a <target address>, for overwriting memory.
 +
 +
This is probably difficult to exploit.
 +
|
 +
| None
 +
| [[8.0.0-18]](MP-sysmodule v2048)
 +
| January 22, 2017
 +
| January 22, 2017
 +
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
 
| [[MP_Services|MP]] cmd1 out-of-bounds handle read
 
| [[MP_Services|MP]] cmd1 out-of-bounds handle read
Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/19392"

Navigation menu