3DS System Flaws: Difference between revisions
→Hardware: fixed sighax date |
SM unexploitable OOB write |
||
Line 806: | Line 806: | ||
| May 19(?)-20, 2015 | | May 19(?)-20, 2015 | ||
| [[User:Yellows8|Yellows8]] | | [[User:Yellows8|Yellows8]] | ||
|- | |||
| [[SM]] out-of-bounds BSS write (table 1 entry too small) | |||
| After accepting a new session, [[SM]] writes a (handler ID (0 for srv: sessions (max. 64), 1 for the srv:pm one), pointer to session context structure in BSS) pair in a global array. However that array is only 64-entry-big instead of 65 (as it ought to be), and no bound check is done in that regard. | |||
Unfortunately, as of [[11.4.0-37]], the overwritten fields are totally unused after their initialization by <code>__libc_init_array</code>. | |||
| Not currently exploitable | |||
| None | |||
| [[11.4.0-37]] | |||
| June 29, 2017 | |||
| [[User:TuxSH|TuxSH]] | |||
|} | |} | ||