21.0.0: Difference between revisions

(3 intermediate revisions by the same user not shown)

Line 2:

Security flaws fixed: yes.

As of December 18, 2025 (UTC), this sysupdate (or later?) is now required by [[Network|dauth]].

==Change-log==

Line 64:

Line 66:

** "/lyt/Browse/TapHighlight.arc" added

** "/message/": Various data updated.

** "/nro/netfront/core_0/default/" ~~removed~~

** "/nro/netfront/core_0/default/cfi_disabled" moved to "/nro/netfront/core_0/Default/cfi_nocfi".

** "/nro/netfront/core_0/Default/" ~~added~~

** "/nro/netfront/core_3/default/cfi_enabled" moved to "/nro/netfront/core_3/Default/cfi_nncfi".

** "/nro/netfront/core_3/default/" ~~removed~~

** "/nro/netfront/core_3/Default/" ~~added~~

* Help: "/legallines.htdocs/index.html" updated

* NgWord: "/0.txt" updated, "/version.dat" updated

Line 387:

** The kernel-use of KDynamicSlabHeapPageAllocator::Initialize in resource manager init now panics on failure

** There are more cases, too many to fully enumerate with high confidence.

=== [[Bluetooth_Driver_services|bluetooth]] ===

The below changes for gatt_process_prep_write_rsp and gatt_process_notification were also backported to [[19.0.2]].

* Updated L_c6720, prev ver @ L_c0cc0. This is gatt_process_prep_write_rsp.

** The input size is now [[Switch_System_Flaws|validated]]. The validation is implemented as: <code>if (0xFDA6 >= (u16)(size-0x25D)) <fail></code>

* Updated L_c6930, prev ver @ L_c0eb0. This is gatt_process_notification.

** The input size bounds check was moved before writing any data to stack, and the bounds check was updated (same as gatt_process_prep_write_rsp above).

** These changes shouldn't matter? The stack data is only used when the bounds check passes, and the previous check also would catch wrap-around.

* ...

=== [[HID_services|hid]] ===

A vuln with hid:dbg was [[Switch_System_Flaws|fixed]].

=== [[LDN_services|ldn]] ===

@@ Line 2: / Line 2: @@
 Security flaws fixed: yes.
+As of December 18, 2025 (UTC), this sysupdate (or later?) is now required by [[Network|dauth]].
 ==Change-log==
@@ Line 64: / Line 66: @@
 ** "/lyt/Browse/TapHighlight.arc" added
 ** "/message/": Various data updated.
-** "/nro/netfront/core_0/default/" removed
+** "/nro/netfront/core_0/default/cfi_disabled" moved to "/nro/netfront/core_0/Default/cfi_nocfi".
-** "/nro/netfront/core_0/Default/" added
+** "/nro/netfront/core_3/default/cfi_enabled" moved to "/nro/netfront/core_3/Default/cfi_nncfi".
-** "/nro/netfront/core_3/default/" removed
-** "/nro/netfront/core_3/Default/" added
 * Help: "/legallines.htdocs/index.html" updated
 * NgWord: "/0.txt" updated, "/version.dat" updated
@@ Line 387: / Line 387: @@
 ** The kernel-use of KDynamicSlabHeapPageAllocator::Initialize in resource manager init now panics on failure
 ** There are more cases, too many to fully enumerate with high confidence.
+=== [[Bluetooth_Driver_services|bluetooth]] ===
+The below changes for gatt_process_prep_write_rsp and gatt_process_notification were also backported to [[19.0.2]].
+* Updated L_c6720, prev ver @ L_c0cc0. This is gatt_process_prep_write_rsp.
+** The input size is now [[Switch_System_Flaws|validated]]. The validation is implemented as: <code>if (0xFDA6 >= (u16)(size-0x25D)) <fail></code>
+* Updated L_c6930, prev ver @ L_c0eb0. This is gatt_process_notification.
+** The input size bounds check was moved before writing any data to stack, and the bounds check was updated (same as gatt_process_prep_write_rsp above).
+** These changes shouldn't matter? The stack data is only used when the bounds check passes, and the previous check also would catch wrap-around.
+* ...
+=== [[HID_services|hid]] ===
+A vuln with hid:dbg was [[Switch_System_Flaws|fixed]].
 === [[LDN_services|ldn]] ===