Switch System Flaws: Difference between revisions
bootloader stage 1 flaw fixed in 3.0.0 |
clarify |
||
| Line 38: | Line 38: | ||
|- | |- | ||
| Null-dereference in panic() | | Null-dereference in panic() | ||
| The Switch's stage 1 bootloader, on panic(), clears the stack and then attempts to clear the Security Engine. However, it does so by dereferencing a pointer to the SE in .bss (initially NULL), and this pointer doesn't get initialized until partway into the bootloader's main(). Thus, a panic() caused prior to SE initialization would result in the SE pointer still being NULL when dereferenced. This would cause a data abort, causing the bootloader to clear the stack and then try to clear the security engine...dereferencing NULL again, over and over in a loop. | | The Switch's stage 1 bootloader, on panic(), clears the stack and then attempts to clear the Security Engine. However, it does so by dereferencing a pointer to the SE in .bss (initially NULL), and this pointer doesn't get initialized until partway into the bootloader's main() after several functions that might panic() are called. Thus, a panic() caused prior to SE initialization would result in the SE pointer still being NULL when dereferenced. This would cause a data abort, causing the bootloader to clear the stack and then try to clear the security engine...dereferencing NULL again, over and over in a loop. | ||
In 3.0.0, this was fixed by moving the security engine initialization earlier in main(), before the first function that could potentially panic(). | In 3.0.0, this was fixed by moving the security engine initialization earlier in main(), before the first function that could potentially panic(). | ||