21.0.0: Difference between revisions

(4 intermediate revisions by 2 users not shown)

Line 2:

Security flaws fixed: yes.

As of December 18, 2025 (UTC), this sysupdate (or later?) is now required by [[Network|dauth]].

==Change-log==

Line 64:

Line 66:

** "/lyt/Browse/TapHighlight.arc" added

** "/message/": Various data updated.

** "/nro/netfront/core_0/default/" ~~removed~~

** "/nro/netfront/core_0/default/cfi_disabled" moved to "/nro/netfront/core_0/Default/cfi_nocfi".

** "/nro/netfront/core_0/Default/" ~~added~~

** "/nro/netfront/core_3/default/cfi_enabled" moved to "/nro/netfront/core_3/Default/cfi_nncfi".

** "/nro/netfront/core_3/default/" ~~removed~~

** "/nro/netfront/core_3/Default/" ~~added~~

* Help: "/legallines.htdocs/index.html" updated

* NgWord: "/0.txt" updated, "/version.dat" updated

Line 365:

* HandleFloatingPointException now sets a previously unused StackParameters flag (+0x2F) to 1.

** This flag doesn't seem to be referenced/used anywhere else in the kernel?

* KInterruptManager/Controller was changed:

** KInterruptController::LocalState now stores the private spendsgir, which is also now saved/restored by KInterruptController::SaveLocalState/RestoreLocalState

** KSleepManager now spins for 100 microseconds before calling KInterruptManager::Save, after synchronizing all cores.

* cpu::DoCoreInterruptBarrier now uses a global KLightLock; this prevents more than one thread from performing an interrupt barrier at the same time.

* KThread StackParameter exception_flags bitflags are now volatile and mostly atomic; many bits now use atomic read-modify-write loops to set and clear bits.

** This is not done for bit 0 ("is in svc"), accesses specifically for bit 0 continue to use non-atomic reads/writes.

Line 391:

Line 387:

** The kernel-use of KDynamicSlabHeapPageAllocator::Initialize in resource manager init now panics on failure

** There are more cases, too many to fully enumerate with high confidence.

=== [[Bluetooth_Driver_services|bluetooth]] ===

The below changes for gatt_process_prep_write_rsp and gatt_process_notification were also backported to [[19.0.2]].

* Updated L_c6720, prev ver @ L_c0cc0. This is gatt_process_prep_write_rsp.

** The input size is now [[Switch_System_Flaws|validated]]. The validation is implemented as: <code>if (0xFDA6 >= (u16)(size-0x25D)) <fail></code>

* Updated L_c6930, prev ver @ L_c0eb0. This is gatt_process_notification.

** The input size bounds check was moved before writing any data to stack, and the bounds check was updated (same as gatt_process_prep_write_rsp above).

** These changes shouldn't matter? The stack data is only used when the bounds check passes, and the previous check also would catch wrap-around.

* ...

=== [[HID_services|hid]] ===

A vuln with hid:dbg was [[Switch_System_Flaws|fixed]].

=== [[LDN_services|ldn]] ===

@@ Line 2: / Line 2: @@
 Security flaws fixed: yes.
+As of December 18, 2025 (UTC), this sysupdate (or later?) is now required by [[Network|dauth]].
 ==Change-log==
@@ Line 64: / Line 66: @@
 ** "/lyt/Browse/TapHighlight.arc" added
 ** "/message/": Various data updated.
-** "/nro/netfront/core_0/default/" removed
+** "/nro/netfront/core_0/default/cfi_disabled" moved to "/nro/netfront/core_0/Default/cfi_nocfi".
-** "/nro/netfront/core_0/Default/" added
+** "/nro/netfront/core_3/default/cfi_enabled" moved to "/nro/netfront/core_3/Default/cfi_nncfi".
-** "/nro/netfront/core_3/default/" removed
-** "/nro/netfront/core_3/Default/" added
 * Help: "/legallines.htdocs/index.html" updated
 * NgWord: "/0.txt" updated, "/version.dat" updated
@@ Line 365: / Line 365: @@
 * HandleFloatingPointException now sets a previously unused StackParameters flag (+0x2F) to 1.
 ** This flag doesn't seem to be referenced/used anywhere else in the kernel?
-* KInterruptManager/Controller was changed:
-** KInterruptController::LocalState now stores the private spendsgir, which is also now saved/restored by KInterruptController::SaveLocalState/RestoreLocalState
-** KSleepManager now spins for 100 microseconds before calling KInterruptManager::Save, after synchronizing all cores.
-* cpu::DoCoreInterruptBarrier now uses a global KLightLock; this prevents more than one thread from performing an interrupt barrier at the same time.
 * KThread StackParameter exception_flags bitflags are now volatile and mostly atomic; many bits now use atomic read-modify-write loops to set and clear bits.
 ** This is not done for bit 0 ("is in svc"), accesses specifically for bit 0 continue to use non-atomic reads/writes.
@@ Line 391: / Line 387: @@
 ** The kernel-use of KDynamicSlabHeapPageAllocator::Initialize in resource manager init now panics on failure
 ** There are more cases, too many to fully enumerate with high confidence.
+=== [[Bluetooth_Driver_services|bluetooth]] ===
+The below changes for gatt_process_prep_write_rsp and gatt_process_notification were also backported to [[19.0.2]].
+* Updated L_c6720, prev ver @ L_c0cc0. This is gatt_process_prep_write_rsp.
+** The input size is now [[Switch_System_Flaws|validated]]. The validation is implemented as: <code>if (0xFDA6 >= (u16)(size-0x25D)) <fail></code>
+* Updated L_c6930, prev ver @ L_c0eb0. This is gatt_process_notification.
+** The input size bounds check was moved before writing any data to stack, and the bounds check was updated (same as gatt_process_prep_write_rsp above).
+** These changes shouldn't matter? The stack data is only used when the bounds check passes, and the previous check also would catch wrap-around.
+* ...
+=== [[HID_services|hid]] ===
+A vuln with hid:dbg was [[Switch_System_Flaws|fixed]].
 === [[LDN_services|ldn]] ===