Switch System Flaws: Difference between revisions
| Line 994: | Line 994: | ||
| January 13, 2023 | | January 13, 2023 | ||
| October 20, 2023 | | October 20, 2023 | ||
| [[User:Yellows8|yellows8]] | |||
|- | |||
| [[NV_services|nv]] NVGPU_GPU_IOCTL_GET_CHARACTERISTICS Ioctl3 infoleak | |||
| The handler code for NVGPU_GPU_IOCTL_GET_CHARACTERISTICS for Ioctl/Ioctl3 are essentially the same, except for the value used for the max-size clamp: Ioctl uses constant 0xA0, while Ioctl3 uses the outbuf1_size. So if one uses this with Ioctl3 and a large outbuf1, this will memcpy data OOB from the source buffer, hence infoleak. | |||
With [17.0.0+] the second block of csel code which previouly essentially used the clamped size from above, was replaced with code which properly clamps to the max-size constant. | |||
| nvservices-sysmodule infoleak, which allows defeating ASLR. | |||
| [[17.0.0]] | |||
| [[17.0.0]] | |||
| February 25, 2022 | |||
| October 24, 2023 | |||
| [[User:Yellows8|yellows8]] | | [[User:Yellows8|yellows8]] | ||
|} | |} | ||