516
edits
Changes
Jump to navigation
Jump to search
Line 125:
Line 125: − + + + + + + + + Line 258:
Line 265: + + + + + + + + + Line 790:
Line 806: + + + + + + + + + +
→FIRM Sysmodules
| None
| None
| New3DS
| New3DS
| November 2015
| July 2015
| [[User:Derrek|derrek]]
| [[User:Derrek|derrek]]
|-
| Boot9 FIRM loading doesn't blacklist memory-mapped I/O
| [[Bootloader|Boot9]]'s FIRM loading blacklists Boot9 data regions, but forgets to do other important regions, including Memory-mapped I/O. Combined with sighax, by loading a malicious FIRM section to MMIO, one can get Boot9/Boot11 code execution.
| None
| New3DS
| 2015(?)
| [[User:Derrek|derrek]] (2015?), [[User:Normmatt|Normmatt]] and [[User:SciresM|SciresM]] independently (January 2017).
|}
|}
| January 20, 2016
| January 20, 2016
| [[User:Jakcron|jakcron]]
| [[User:Jakcron|jakcron]]
|-
| Factory firmware is vulnerable to sighax
| During the 3DS's development, presumably boot9 was written (including the sighax) vulnerability. This vulnerability is also present in factory firmware (and earlier, including 0.11). This was fixed in version 1.0.0-0.
| Deducing the mechanics of the sighax vulnerability in boot9 without having boot9 prot. Arm9 code execution on factory/earlier firmware.
| [[1.0.0-0|1.0.0-X]]
| [[1.0.0-0|1.0.0-X]]
| May 9, 2017
| May 19, 2017
| [[User:SciresM|SciresM]], [[User:Myria|Myria]]
|-
|-
| safefirmhax
| safefirmhax
| May 19(?)-20, 2015
| May 19(?)-20, 2015
| [[User:Yellows8|Yellows8]]
| [[User:Yellows8|Yellows8]]
|-
| [[SM]] out-of-bounds BSS write (table 1 entry too small)
| After accepting a new session, [[SM]] writes a (handler ID (0 for srv: sessions (max. 64), 1 for the srv:pm one), pointer to session context structure in BSS) pair in a global array. However that array is only 64-entry-big instead of 65 (as it ought to be), and no bound check is done in that regard.
Unfortunately, as of [[11.4.0-37]], the overwritten fields are totally unused after their initialization by <code>__libc_init_array</code>.
| Not currently exploitable
| None
| [[11.4.0-37]]
|
|
|}
|}