6,263
edits
Changes
Jump to navigation
Jump to search
Line 141:
Line 141: − + Line 191:
Line 191: − + − The extdata SaveData.dat file-reading code allocates a fixed-size heap buffer for the expected SaveData.dat filesize, then reads the filedata into this buffer using the actual FS filesize. Before v5.0 the filesize used here wasn't validated, hence if the filesize is larger than alloc_size a buffer overflow would occur. ''After'' doing the file-read it does validate that the actual_readsize matches the alloc_size, but at this point the buffer overflow has already occurred.+ − It's unknown whether v5.0 had similar changes for other extdata file-loading code.+ + +
→System applets
|-
|-
| [[Home Menu]] sdiconhax
| [[Home Menu]] sdiconhax
| This is basically the same as nandiconhax, the vulnerable SD/NAND functions are ''identical'' minus the file-buffer offsets. Exploitation is different due to different heap-buffer location though. Unlike nandiconhax, the icon buffer for SD is located in linearmem. This is used by [[menuhax]].
| This is basically the same as nandiconhax, the vulnerable SD/NAND functions are ''identical'' minus the file-buffer offsets. Exploitation is different due to different heap-buffer location though. Unlike nandiconhax, the icon buffer for SD is located in linearmem(with recent Home Menu versions at least). This is used by [[menuhax]].
| None
| None
| [[11.0.0-33|11.0.0-X]]
| [[11.0.0-33|11.0.0-X]]
|-
|-
| [[Home Menu]] extdata SaveData.dat loading buffer overflow
| [[Home Menu]] extdata SaveData.dat loading buffer overflow
| ''This was not tested on hardware.''
| The extdata SaveData.dat file-reading code allocates a fixed-size heap buffer for the expected SaveData.dat filesize, then reads the filedata into this buffer using the actual FS filesize. Before v5.0 the filesize used here wasn't validated, hence if the filesize is larger than alloc_size a buffer overflow would occur. ''After'' doing the file-read it does validate that the actual_readsize matches the alloc_size, but at this point the buffer overflow has already occurred.
It's unknown whether v5.0 had similar changes for other extdata file-loading code.
This can be triggered by installing a <v4.0 Home Menu version, with Home Menu extdata from >=v4.0 still on SD. When this is done with v2.0 Home Menu, a kernelpanic occurs when processing an AM command(it appears a buffer ptr which is then passed to a command was overwritten with 0x0 - of course other SaveData.dat filesizes may result in different behaviour).
With v2.0 the SaveData.dat buffer is located in the regular heap.
| [[5.0.0-11|5.0.0-X]]
| [[5.0.0-11|5.0.0-X]]
|
|