Switch System Flaws: Difference between revisions
| Line 449: | Line 449: | ||
! Public disclosure timeframe | ! Public disclosure timeframe | ||
! Discovered by | ! Discovered by | ||
|- | |||
| [[Applet_Manager_services#IStorage|AM IStorage]] infoleak | |||
| Originally the buffer allocated by [[Applet_Manager_services#CreateStorage|CreateStorage]] using the specified input size was not cleared. With [8.0.0+] this was fixed by adding a memset() for the buffer after successful allocation. | |||
Hence, IStorage->IStorageAccessor->Read will return uninitialized memory when the Write cmd was not previously used with the specified region. | |||
| Infoleak from the main [[Applet_Manager_services#IStorage|AM]] heap, allowing defeating ASLR by reading addresses from previously allocated objects. | |||
| [[8.0.0]] | |||
| [[8.1.0]] | |||
| December 2018 | |||
| August 9, 2019 | |||
| [[User:Yellows8|yellows8]] | |||
|- | |- | ||
| Out-of-bounds array read for [[BCAT_Content_Container]] secret-data index | | Out-of-bounds array read for [[BCAT_Content_Container]] secret-data index | ||