Switch System Flaws: Difference between revisions

(One intermediate revision by the same user not shown)

Line 1,107:

| May 3, 2025

| [[User:Yellows8|yellows8]] (maybe others?)

|-

| [[HID_services|hidbus]] EnableJoyPollingReceiveMode infoleak

| The tmem initialized by hidbus EnableJoyPollingReceiveMode contains a vtable ptr (tmem+0x10), hence infoleak. With [20.0.0+] the vtable ptr write was removed, and tmem is now memset starting at tmem+0x10 instead of +0x20.

| hid-sysmodule infoleak, which allows defeating ASLR.

| [[20.0.0]]

| March 2020

| May 4, 2025

| [[User:Yellows8|yellows8]]

|}

Line 1,260:

Line 1,269:

| nn::pia::session::RelayRouteManageJob::UpdateConnectionReport() checks that the input size is at least {value}, but there's no max size check. This is used to memcpy from the input to elsewhere - hence buf-overflow if size is too large. The dst buffer is allocated on the pead heap - this buffer is probably small.

Note that there's various requirements before it would actually reach the memcpy, such as <code><nn::pia::session::Mesh::IsHost() const></code> must return true.

This is called from nn::pia::session::MeshProtocol::ParseConnectionReport().

ParseConnectionReport uses a state ptr for object nn::pia::session::RelayRouteManageJob, it will return if not set. nn::pia::session::Mesh::Initialize handles setup for this, depending on an input field from nn::pia::session::Mesh::Setting. These settings originate from <code><nn::pia::session::Session::CreateInstance(nn::pia::session::Session::Setting const&)></code>, which is called by user-code with the needed settings.

ParseConnectionReport is therefore only usable if the game explicitly enables the Relay functionality.

In fixed versions immediately after the StationIndex validation it now does: <code>if(statefield+0x10<input_size) return;</code>

~~This is called from nn::pia::session::MeshProtocol::ParseConnectionReport().~~

| Heap buffer overflow triggered by a Pia MeshProtocol message sent to a host device.

| v5.9.3, see above.

@@ Line 1,107: / Line 1,107: @@
 | May 3, 2025
 | [[User:Yellows8|yellows8]] (maybe others?)
+|-
+| [[HID_services|hidbus]] EnableJoyPollingReceiveMode infoleak
+| The tmem initialized by hidbus EnableJoyPollingReceiveMode contains a vtable ptr (tmem+0x10), hence infoleak. With [20.0.0+] the vtable ptr write was removed, and tmem is now memset starting at tmem+0x10 instead of +0x20.
+| hid-sysmodule infoleak, which allows defeating ASLR.
+| [[20.0.0]]
+| [[20.0.0]]
+| March 2020
+| May 4, 2025
+| [[User:Yellows8|yellows8]]
 |}
@@ Line 1,260: / Line 1,269: @@
 | nn::pia::session::RelayRouteManageJob::UpdateConnectionReport() checks that the input size is at least {value}, but there's no max size check. This is used to memcpy from the input to elsewhere - hence buf-overflow if size is too large. The dst buffer is allocated on the pead heap - this buffer is probably small.
 Note that there's various requirements before it would actually reach the memcpy, such as <code><nn::pia::session::Mesh::IsHost() const></code> must return true.
+This is called from nn::pia::session::MeshProtocol::ParseConnectionReport().
+ParseConnectionReport uses a state ptr for object nn::pia::session::RelayRouteManageJob, it will return if not set. nn::pia::session::Mesh::Initialize handles setup for this, depending on an input field from nn::pia::session::Mesh::Setting. These settings originate from <code><nn::pia::session::Session::CreateInstance(nn::pia::session::Session::Setting const&)></code>, which is called by user-code with the needed settings.
+ParseConnectionReport is therefore only usable if the game explicitly enables the Relay functionality.
 In fixed versions immediately after the StationIndex validation it now does: <code>if(statefield+0x10<input_size) return;</code>
-This is called from nn::pia::session::MeshProtocol::ParseConnectionReport().
 | Heap buffer overflow triggered by a Pia MeshProtocol message sent to a host device.
 | v5.9.3, see above.