18.0.0: Difference between revisions

Line 515:

Using updated master-key: master_key_11 (previously master_key_10). See [[NCA]] for the KeyGeneration listing.

==== Kernel ====

* Compiler/libc was upgraded, this results in various minor optimizations throughout the whole kernel.

** Many, many minor changes that this is almost certainly the cause for, e.g. KThread::SuspendRequest now calculates requested value as (0x10 << suspend_type) instead of (1 << (suspend_type + 4)).

** Biggest one is that sp/lr are now much more commonly not saved to stack until actually needed, if a function has a return path which does not make calls/does not need lr/sp saved.

* Initialize0 changes:

** The physical base address of the kernel is now passed by KernelLdr for use during KernelSlab virtual memory region setup.

*** This replaces the previous call to KInitialPageTable::GetPhysicalAddress.

* SVC-handler accesses to the thread local region's disable count now use userspace access instructions.

* SvcSetHeapSize now only sets the output address on success.

** This wasn't a vulnerability before, because prior to this the ABI meant userland would receive whatever was in the userland register at call time.

* CreateProcessParameter now zeroes many fields before performing initialization.

* New CreateProcessFlag 0x2000 is "EnableReservedRegionExtraSize", when set the reserved region size is increased by (AddressSpaceSize / 8).

** Currently, CreateProcess will return svc::ResultInvalidState() unless all the following conditions are met:

*** Address space type must be 39-bit

*** System resource size must be > 0

*** KTargetSystem::IsDebugMode() must be true.

** New InfoType (0x1C) "InfoType_ReservedRegionExtraSize" retrieves the extra size, which is a member of KPageTableBase.

** Loader does not currently support passing this flag in any capacity yet.

** nn::os::VammManager currently calculates the reserved region as [start, end - extra size], and will not map to the extra part of the region.

* Various KPageTable(Base/Impl) changes:

** InitializeForProcess now takes in the create process flags directly instead of parsing as a bunch of bools.

** InitializeForProcess now performs much more complicated initialization/randomization of the four aslr'd regions, dividing them up before/after the process code using largest-region first selection for randomization order.

** KPageTableImpl's traversal functions now take an additional output byte (which is also a new member at +0x11 in the traversal block and in KMemoryRange), this is always set to zero.

*** This byte is checked when traversing by ::Finalize and ::GetContiguousRangeWithMemoryState, but not other page table functions.

*** This byte is also stored as a new member of the memory range struct returned by GetContiguousRangeWithMemoryState

** AllocateAndMapPagesImpl now takes in the page properties by reference instead of by value.

** Read/WriteReadDebugIoMemory now use simpler logic for determining the current readable size.

* The KMemoryBlock helper "ConvertToKMemoryPermission" was changed to only copy the user-write bit to KernelWrite.

** This fixes a longstanding bug where the input was AND'd with KMemoryPermission_UserReadWrite, and these bits were then ORR'd into the final permission <<='d with KernelShift.

** The intent here was to copy the user read/write permissions into the kernel read/write permissions, but KMemoryPermission_UserReadWrite is not bitmask 0x3, it's bitmask 0x1B (including the KernelRead/Write bits).

** Thus, previously this would allow an input with KernelRead bit to spuriously set the NotMapped bit, and an input with KernelWrite bit to spuriously set the unused top bit.

** This was unexploitable, except maybe for causing a kernel-mode access exception.

* HandleException now handles EsrEc_DataAbortEl0 specially when determining the debug exception type.

** When ESR_EL1.IFSC is 0b100001 ("Alignment Fault"), ExceptionType_UnalignedData is selected instead of ExceptionType_DataAbort.

* KMemoryManager(Impl)/KPageHeap changes:

** KPageHeap's heap_virtual_address member is now removed and is a part of KMemoryManagerImpl now (this is still unused in non-debug kernel).

** KMemoryManager::AllocatePageGroup now takes a parameter for the required minimum alignment for the page group.

*** This is currently passed as 1 page (minimum alignment) at all callsites.

* SecureMonitor access was refactored, actual smc invocation is now in its own helper separate from interrupt disable/enable (and helpers which invoke without interrupt disable now exist).

=== [[Audio_services|audio]] ===

@@ Line 515: / Line 515: @@
 Using updated master-key: master_key_11 (previously master_key_10). See [[NCA]] for the KeyGeneration listing.
+==== Kernel ====
+* Compiler/libc was upgraded, this results in various minor optimizations throughout the whole kernel.
+** Many, many minor changes that this is almost certainly the cause for, e.g. KThread::SuspendRequest now calculates requested value as (0x10 << suspend_type) instead of (1 << (suspend_type + 4)).
+** Biggest one is that sp/lr are now much more commonly not saved to stack until actually needed, if a function has a return path which does not make calls/does not need lr/sp saved.
+* Initialize0 changes:
+** The physical base address of the kernel is now passed by KernelLdr for use during KernelSlab virtual memory region setup.
+*** This replaces the previous call to KInitialPageTable::GetPhysicalAddress.
+* SVC-handler accesses to the thread local region's disable count now use userspace access instructions.
+* SvcSetHeapSize now only sets the output address on success.
+** This wasn't a vulnerability before, because prior to this the ABI meant userland would receive whatever was in the userland register at call time.
+* CreateProcessParameter now zeroes many fields before performing initialization.
+* New CreateProcessFlag 0x2000 is "EnableReservedRegionExtraSize", when set the reserved region size is increased by (AddressSpaceSize / 8).
+** Currently, CreateProcess will return svc::ResultInvalidState() unless all the following conditions are met:
+*** Address space type must be 39-bit
+*** System resource size must be > 0
+*** KTargetSystem::IsDebugMode() must be true.
+** New InfoType (0x1C) "InfoType_ReservedRegionExtraSize" retrieves the extra size, which is a member of KPageTableBase.
+** Loader does not currently support passing this flag in any capacity yet.
+** nn::os::VammManager currently calculates the reserved region as [start, end - extra size], and will not map to the extra part of the region.
+* Various KPageTable(Base/Impl) changes:
+** InitializeForProcess now takes in the create process flags directly instead of parsing as a bunch of bools.
+** InitializeForProcess now performs much more complicated initialization/randomization of the four aslr'd regions, dividing them up before/after the process code using largest-region first selection for randomization order.
+** KPageTableImpl's traversal functions now take an additional output byte (which is also a new member at +0x11 in the traversal block and in KMemoryRange), this is always set to zero.
+*** This byte is checked when traversing by ::Finalize and ::GetContiguousRangeWithMemoryState, but not other page table functions.
+*** This byte is also stored as a new member of the memory range struct returned by GetContiguousRangeWithMemoryState
+** AllocateAndMapPagesImpl now takes in the page properties by reference instead of by value.
+** Read/WriteReadDebugIoMemory now use simpler logic for determining the current readable size.
+* The KMemoryBlock helper "ConvertToKMemoryPermission" was changed to only copy the user-write bit to KernelWrite.
+** This fixes a longstanding bug where the input was AND'd with KMemoryPermission_UserReadWrite, and these bits were then ORR'd into the final permission <<='d with KernelShift.
+** The intent here was to copy the user read/write permissions into the kernel read/write permissions, but KMemoryPermission_UserReadWrite is not bitmask 0x3, it's bitmask 0x1B (including the KernelRead/Write bits).
+** Thus, previously this would allow an input with KernelRead bit to spuriously set the NotMapped bit, and an input with KernelWrite bit to spuriously set the unused top bit.
+** This was unexploitable, except maybe for causing a kernel-mode access exception.
+* HandleException now handles EsrEc_DataAbortEl0 specially when determining the debug exception type.
+** When ESR_EL1.IFSC is 0b100001 ("Alignment Fault"), ExceptionType_UnalignedData is selected instead of ExceptionType_DataAbort.
+* KMemoryManager(Impl)/KPageHeap changes:
+** KPageHeap's heap_virtual_address member is now removed and is a part of KMemoryManagerImpl now (this is still unused in non-debug kernel).
+** KMemoryManager::AllocatePageGroup now takes a parameter for the required minimum alignment for the page group.
+*** This is currently passed as 1 page (minimum alignment) at all callsites.
+* SecureMonitor access was refactored, actual smc invocation is now in its own helper separate from interrupt disable/enable (and helpers which invoke without interrupt disable now exist).
 === [[Audio_services|audio]] ===