Switch System Flaws: Difference between revisions

Line 225:

This was fixed in [[4.0.0]] by adding a semaphore to these critical single-session services, so that even if one gets access to them an error code will be returned when attempting to use any of their commands.

| With some way to access these services and kill their session holders: dumping sysmodule code, arbitrary service access, elevated filesystem permissions, etc.

| With some way to access these services and kill their session holders (like expLDR): dumping sysmodule code, arbitrary service access, elevated filesystem permissions, etc.

| [[4.0.0]]

Line 275:

|-

| expLDR (sysmodule handle table exhaustion)

| ~~Due~~ to ~~limited~~ handle ~~table space, it's possible to cause most sysmodules to abort by sending a number of~~ DuplicateSession ~~control commands~~ (type 5 command 2) to a ~~given service~~. ~~Once it runs~~ out of ~~handles~~, ~~it kills~~ the service ~~and releases~~ all handles cleanly.

| Most sysmodules share common template code to handle IPC control messages. The command DuplicateSession (type 5 command 2)'s template code will abort() if it fails to duplicate a session's handle for the requester. Because many sysmodules have limited handle table size (smaller than the browser/other entrypoints), repeatedly requesting to duplicate one's session will cause the sysmodule to run out of handle table space and abort, causing the service to release all its handles cleanly.

| Sysmodule crashes. Most usefully, crashing ldr allows access to fsp-ldr and crashing pm allows access to fsp-pr.

| Sysmodule crashes. Most usefully, crashing ldr allows access to fsp-ldr and crashing pm allows access to fsp-pr. Useless after [[4.0.0]], which mitigated a number of single-session service access issues.

| Unfixed

| 4.1.0

@@ Line 225: / Line 225: @@
 This was fixed in [[4.0.0]] by adding a semaphore to these critical single-session services, so that even if one gets access to them an error code will be returned when attempting to use any of their commands.
-| With some way to access these services and kill their session holders: dumping sysmodule code, arbitrary service access, elevated filesystem permissions, etc.
+| With some way to access these services and kill their session holders (like expLDR): dumping sysmodule code, arbitrary service access, elevated filesystem permissions, etc.
 | [[4.0.0]]
 | [[4.0.0]]
@@ Line 275: / Line 275: @@
 |-
 | expLDR (sysmodule handle table exhaustion)
-| Due to limited handle table space, it's possible to cause most sysmodules to abort by sending a number of DuplicateSession control commands (type 5 command 2) to a given service.  Once it runs out of handles, it kills the service and releases all handles cleanly.
+| Most sysmodules share common template code to handle IPC control messages. The command DuplicateSession (type 5 command 2)'s template code will abort() if it fails to duplicate a session's handle for the requester. Because many sysmodules have limited handle table size (smaller than the browser/other entrypoints), repeatedly requesting to duplicate one's session will cause the sysmodule to run out of handle table space and abort, causing the service to release all its handles cleanly.
-| Sysmodule crashes.  Most usefully, crashing ldr allows access to fsp-ldr and crashing pm allows access to fsp-pr.
+| Sysmodule crashes.  Most usefully, crashing ldr allows access to fsp-ldr and crashing pm allows access to fsp-pr. Useless after [[4.0.0]], which mitigated a number of single-session service access issues.
 | Unfixed
 | 4.1.0