Switch System Flaws: Difference between revisions
| Line 1,128: | Line 1,128: | ||
| June ~13, 2025 | | June ~13, 2025 | ||
| November 11, 2025 | | November 11, 2025 | ||
| [[User:Yellows8|yellows8]] | |||
|- | |||
| [[HID_services|hid:dbg]] AttachHdlsVirtualDevice unvalidated DeviceTypeInternal | |||
| hid:dbg AttachHdlsVirtualDevice eventually passes the input from HdlsDeviceInfo into a func without any validation. The DeviceTypeInternal field is used as the index for loading a ptr from a global array. The only validation occurs when the loaded ptr is NULL - this is just for initializing the ptr in the array when it's not already set. | |||
Since the highest DeviceTypeInternal is value 30, using >=31 will load an OOB ptr. This ptr is written to state, and also immediately passed to a called func. As long as ptr is valid it should be fine with this func. | |||
This functionality is also used eventually by ApplyHdlsNpadAssignmentState and ApplyHdlsStateList. | |||
It's unknown whether there's a way to exploit this. Also note that hid:dbg is not normally accessible to retail titles. | |||
[21.0.0+] Arrayindex=0 is now used when the input is invalid. | |||
| | |||
| [[21.0.0]] | |||
| [[21.0.0]] | |||
| June 3, 2024 (possibly eariler(?)) | |||
| November 14, 2025 | |||
| [[User:Yellows8|yellows8]] | | [[User:Yellows8|yellows8]] | ||
|} | |} | ||