888
edits
Changes
Jump to navigation
Jump to search
Line 515:
Line 515: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
→BootImagePackages: Kernel diff
Using updated master-key: master_key_11 (previously master_key_10). See [[NCA]] for the KeyGeneration listing.
Using updated master-key: master_key_11 (previously master_key_10). See [[NCA]] for the KeyGeneration listing.
==== Kernel ====
* Compiler/libc was upgraded, this results in various minor optimizations throughout the whole kernel.
** Many, many minor changes that this is almost certainly the cause for, e.g. KThread::SuspendRequest now calculates requested value as (0x10 << suspend_type) instead of (1 << (suspend_type + 4)).
** Biggest one is that sp/lr are now much more commonly not saved to stack until actually needed, if a function has a return path which does not make calls/does not need lr/sp saved.
* Initialize0 changes:
** The physical base address of the kernel is now passed by KernelLdr for use during KernelSlab virtual memory region setup.
*** This replaces the previous call to KInitialPageTable::GetPhysicalAddress.
* SVC-handler accesses to the thread local region's disable count now use userspace access instructions.
* SvcSetHeapSize now only sets the output address on success.
** This wasn't a vulnerability before, because prior to this the ABI meant userland would receive whatever was in the userland register at call time.
* CreateProcessParameter now zeroes many fields before performing initialization.
* New CreateProcessFlag 0x2000 is "EnableReservedRegionExtraSize", when set the reserved region size is increased by (AddressSpaceSize / 8).
** Currently, CreateProcess will return svc::ResultInvalidState() unless all the following conditions are met:
*** Address space type must be 39-bit
*** System resource size must be > 0
*** KTargetSystem::IsDebugMode() must be true.
** New InfoType (0x1C) "InfoType_ReservedRegionExtraSize" retrieves the extra size, which is a member of KPageTableBase.
** Loader does not currently support passing this flag in any capacity yet.
** nn::os::VammManager currently calculates the reserved region as [start, end - extra size], and will not map to the extra part of the region.
* Various KPageTable(Base/Impl) changes:
** InitializeForProcess now takes in the create process flags directly instead of parsing as a bunch of bools.
** InitializeForProcess now performs much more complicated initialization/randomization of the four aslr'd regions, dividing them up before/after the process code using largest-region first selection for randomization order.
** KPageTableImpl's traversal functions now take an additional output byte (which is also a new member at +0x11 in the traversal block and in KMemoryRange), this is always set to zero.
*** This byte is checked when traversing by ::Finalize and ::GetContiguousRangeWithMemoryState, but not other page table functions.
*** This byte is also stored as a new member of the memory range struct returned by GetContiguousRangeWithMemoryState
** AllocateAndMapPagesImpl now takes in the page properties by reference instead of by value.
** Read/WriteReadDebugIoMemory now use simpler logic for determining the current readable size.
* The KMemoryBlock helper "ConvertToKMemoryPermission" was changed to only copy the user-write bit to KernelWrite.
** This fixes a longstanding bug where the input was AND'd with KMemoryPermission_UserReadWrite, and these bits were then ORR'd into the final permission <<='d with KernelShift.
** The intent here was to copy the user read/write permissions into the kernel read/write permissions, but KMemoryPermission_UserReadWrite is not bitmask 0x3, it's bitmask 0x1B (including the KernelRead/Write bits).
** Thus, previously this would allow an input with KernelRead bit to spuriously set the NotMapped bit, and an input with KernelWrite bit to spuriously set the unused top bit.
** This was unexploitable, except maybe for causing a kernel-mode access exception.
* HandleException now handles EsrEc_DataAbortEl0 specially when determining the debug exception type.
** When ESR_EL1.IFSC is 0b100001 ("Alignment Fault"), ExceptionType_UnalignedData is selected instead of ExceptionType_DataAbort.
* KMemoryManager(Impl)/KPageHeap changes:
** KPageHeap's heap_virtual_address member is now removed and is a part of KMemoryManagerImpl now (this is still unused in non-debug kernel).
** KMemoryManager::AllocatePageGroup now takes a parameter for the required minimum alignment for the page group.
*** This is currently passed as 1 page (minimum alignment) at all callsites.
* SecureMonitor access was refactored, actual smc invocation is now in its own helper separate from interrupt disable/enable (and helpers which invoke without interrupt disable now exist).
=== [[Audio_services|audio]] ===
=== [[Audio_services|audio]] ===