Switch System Flaws: Difference between revisions
Line 547: | Line 547: | ||
! Public disclosure timeframe | ! Public disclosure timeframe | ||
! Discovered by | ! Discovered by | ||
|- | |||
| [[Bluetooth_Driver_services|bluetooth]] gatt_process_notification stack buffer overflow | |||
| gatt_process_notification is the GATT handler for processing notification/indication messages. gatt_process_notification does memcpy to stack from the input bt msg data, without size validation. The input len param isn't validated in this func either - if the remaining len following op_code is less than 2, a negative value will be used for the data copy to stack. | |||
These were fixed by adding a bounds check for the size, size==0 is also checked for now. | |||
| Bluetooth-sysmodule stack buffer overflow, with data received from a bluetooth message | |||
| [[13.2.1]] | |||
| [[13.2.1]] | |||
| November 2021 | |||
| January 19, 2022 | |||
| [[User:Yellows8|yellows8]] | |||
|- | |- | ||
| [[SSL_services|ssl]] CVE-2021-43527 | | [[SSL_services|ssl]] CVE-2021-43527 | ||
Line 555: | Line 565: | ||
Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow). | Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow). | ||
| Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a ptr to an object which is later used to load a funcptr. | | Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a ptr to an object which is later used to load a funcptr. | ||
| 13.2.1 | | [[13.2.1]] | ||
| 13.2.1 | | [[13.2.1]] | ||
| Switch: December 1-2, 2021 | | Switch: December 1-2, 2021 | ||
| Switch: | | Switch: January 19, 2022 | ||
| | | | ||
|- | |- |