Line 125: |
Line 125: |
| | None | | | None |
| | New3DS | | | New3DS |
− | | November 2015 | + | | July 2015 |
| | [[User:Derrek|derrek]] | | | [[User:Derrek|derrek]] |
| + | |- |
| + | | Boot9 FIRM loading doesn't blacklist memory-mapped I/O |
| + | | [[Bootloader|Boot9]]'s FIRM loading blacklists Boot9 data regions, but forgets to do other important regions, including Memory-mapped I/O. Combined with sighax, by loading a malicious FIRM section to MMIO, one can get Boot9/Boot11 code execution. |
| + | | None |
| + | | New3DS |
| + | | 2015(?) |
| + | | [[User:Derrek|derrek]] (2015?), [[User:Normmatt|Normmatt]] and [[User:SciresM|SciresM]] independently (January 2017). |
| |} | | |} |
| | | |
Line 258: |
Line 265: |
| | January 20, 2016 | | | January 20, 2016 |
| | [[User:Jakcron|jakcron]] | | | [[User:Jakcron|jakcron]] |
| + | |- |
| + | | Factory firmware is vulnerable to sighax |
| + | | During the 3DS's development, presumably boot9 was written (including the sighax) vulnerability. This vulnerability is also present in factory firmware (and earlier, including 0.11). This was fixed in version 1.0.0-0. |
| + | | Deducing the mechanics of the sighax vulnerability in boot9 without having boot9 prot. Arm9 code execution on factory/earlier firmware. |
| + | | [[1.0.0-0|1.0.0-X]] |
| + | | [[1.0.0-0|1.0.0-X]] |
| + | | May 9, 2017 |
| + | | May 19, 2017 |
| + | | [[User:SciresM|SciresM]], [[User:Myria|Myria]] |
| |- | | |- |
| | safefirmhax | | | safefirmhax |
Line 790: |
Line 806: |
| | May 19(?)-20, 2015 | | | May 19(?)-20, 2015 |
| | [[User:Yellows8|Yellows8]] | | | [[User:Yellows8|Yellows8]] |
| + | |- |
| + | | [[SM]] out-of-bounds BSS write (table 1 entry too small) |
| + | | After accepting a new session, [[SM]] writes a (handler ID (0 for srv: sessions (max. 64), 1 for the srv:pm one), pointer to session context structure in BSS) pair in a global array. However that array is only 64-entry-big instead of 65 (as it ought to be), and no bound check is done in that regard. |
| + | |
| + | Unfortunately, as of [[11.4.0-37]], the overwritten fields are totally unused after their initialization by <code>__libc_init_array</code>. |
| + | | Not currently exploitable |
| + | | None |
| + | | [[11.4.0-37]] |
| + | | |
| + | | |
| |} | | |} |
| | | |