Switch System Flaws: Difference between revisions
| Line 519: | Line 519: | ||
! Public disclosure timeframe | ! Public disclosure timeframe | ||
! Discovered by | ! Discovered by | ||
|- | |||
| [[Bluetooth_Driver_services|Bluetooth]] A-63146698 | |||
| [https://android.googlesource.com/platform/system/bt/+/226ea26684d4cd609a5b456d3d2cc762453c2d75 A-63146698] / CVE-2017-0785. See also [https://info.armis.com/rs/645-PDC-047/images/BlueBorne%20Technical%20White%20Paper_20171130.pdf here]. | |||
| Bluetooth-sysmodule stack infoleak, which allows defeating ASLR (note: not tested on hw). | |||
| [[5.0.0]] | |||
| [[11.0.0]] | |||
| Switch: December 2020 | |||
| Switch: December 25, 2020 | |||
| Switch: [[User:Yellows8|yellows8]] | |||
|- | |||
| [[Bluetooth_Driver_services|Bluetooth]] sdp_server.cc process_service_search() continuation request p_req validation | |||
| With [5.0.0+], the following was added to the if-block prior to loading cont_offset from p_req: <code>(p_req + sizeof(cont_offset) > p_req_end)</code> (which verifies that cont_offset is within message bounds). | |||
| Bluetooth-sysmodule out-of-bounds read from heap, probably not useful since the read value must match a state field, etc. | |||
| [[5.0.0]] | |||
| [[11.0.0]] | |||
| Switch: December 2020 | |||
| Switch: December 25, 2020 | |||
| Switch: [[User:Yellows8|yellows8]] | |||
|- | |- | ||
| [[HID_services#hid:sys|hid:sys]] ButtonConfig s32 array-index not validated | | [[HID_services#hid:sys|hid:sys]] ButtonConfig s32 array-index not validated | ||