Changes

Jump to navigation Jump to search

3DS System Flaws (edit)

Revision as of 22:24, 29 July 2014

424 bytes added ,  22:24, 29 July 2014
→‎ARM11 kernel
Line 68: Line 68:     
If the two words at threadlocalstorage+0x180 could be overwritten with controlled data this way, one could then use a command with a buffer-header of <nowiki>((size<<14) | 2)</nowiki> to write arbitrary memory to any RW userland memory in the destination process.
 
If the two words at threadlocalstorage+0x180 could be overwritten with controlled data this way, one could then use a command with a buffer-header of <nowiki>((size<<14) | 2)</nowiki> to write arbitrary memory to any RW userland memory in the destination process.
 +
| [[5.0.0-11]]
 +
|-
 +
| [[SVC|SVC stack allocation overflows]]
 +
| svcSetResourceLimitValues, svcGetThreadList, svcGetProcessList, svcReplyAndReceive, svcWaitSynchronizationN only checked bit31 before multiplying by 4/16. If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack. It might allow for arbitrary kernel code execution.
 
| [[5.0.0-11]]
 
| [[5.0.0-11]]
 
|-
 
|-
Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/9473"

Navigation menu