Changes

Jump to navigation Jump to search
1,075 bytes added ,  02:46, 26 December 2020
Line 519: Line 519:  
!  Public disclosure timeframe
 
!  Public disclosure timeframe
 
!  Discovered by
 
!  Discovered by
 +
|-
 +
| [[Bluetooth_Driver_services|Bluetooth]] A-63146698
 +
| [https://android.googlesource.com/platform/system/bt/+/226ea26684d4cd609a5b456d3d2cc762453c2d75 A-63146698] / CVE-2017-0785. See also [https://info.armis.com/rs/645-PDC-047/images/BlueBorne%20Technical%20White%20Paper_20171130.pdf here].
 +
| Bluetooth-sysmodule stack infoleak, which allows defeating ASLR (note: not tested on hw).
 +
| [[5.0.0]]
 +
| [[11.0.0]]
 +
| Switch: December 2020
 +
| Switch: December 25, 2020
 +
| Switch: [[User:Yellows8|yellows8]]
 +
|-
 +
| [[Bluetooth_Driver_services|Bluetooth]] sdp_server.cc process_service_search() continuation request p_req validation
 +
| With [5.0.0+], the following was added to the if-block prior to loading cont_offset from p_req: <code>(p_req + sizeof(cont_offset) > p_req_end)</code> (which verifies that cont_offset is within message bounds).
 +
| Bluetooth-sysmodule out-of-bounds read from heap, probably not useful since the read value must match a state field, etc.
 +
| [[5.0.0]]
 +
| [[11.0.0]]
 +
| Switch: December 2020
 +
| Switch: December 25, 2020
 +
| Switch: [[User:Yellows8|yellows8]]
 
|-
 
|-
 
| [[HID_services#hid:sys|hid:sys]] ButtonConfig s32 array-index not validated
 
| [[HID_services#hid:sys|hid:sys]] ButtonConfig s32 array-index not validated

Navigation menu