Switch System Flaws: Difference between revisions
Bad copy paste. This was found earlier. |
RIP part 2 |
||
| Line 437: | Line 437: | ||
| November 24, 2018 | | November 24, 2018 | ||
| [[User:hexkyz|hexkyz]] | | [[User:hexkyz|hexkyz]] | ||
|- | |||
| Infoleak in nvservices system module | |||
| The [[NV_services|nvservices]] ioctl [[NV_services#NVMAP_IOC_ALLOC|NVMAP_IOC_ALLOC]] takes an optional argument "addr" which allows the calling process to pass a pointer to user allocated memory for backing a nvmap object. If "addr" is left as 0, nvservices uses the transfer memory region (donated by the user during initialization) instead, when allocating memory for the nvmap object. | |||
By design, freeing the nvmap object by calling the ioctl [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] returns, in its "refcount" argument, the user address previously supplied if the reference count reaches 0. | |||
However, prior to [[6.2.0]], the case where the transfer memory region is used to allocate the nvmap object was not taken into account, thus resulting in [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] leaking back an address from within the transfer memory region mapped in nvservices' memory space. | |||
In [[6.2.0]], [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] no longer returns the address when the transfer memory region is used instead of user supplied memory. | |||
| Combined with other vulnerabilities: Defeating ASLR in nvservices sysmodule. | |||
| [[6.2.0]] | |||
| [[6.2.0]] | |||
| April 2017 | |||
| November 24, 2018 | |||
| Everyone | |||
|- | |- | ||
|} | |} | ||