Changes

Switch System Flaws (view source)

Revision as of 02:46, 26 December 2020

1,075 bytes added , 02:46, 26 December 2020

→‎System Modules

Line 519: Line 519:

! Public disclosure timeframe

! Discovered by

+

|-

+

| [[Bluetooth_Driver_services|Bluetooth]] A-63146698

+

| [https://android.googlesource.com/platform/system/bt/+/226ea26684d4cd609a5b456d3d2cc762453c2d75 A-63146698] / CVE-2017-0785. See also [https://info.armis.com/rs/645-PDC-047/images/BlueBorne%20Technical%20White%20Paper_20171130.pdf here].

+

| Bluetooth-sysmodule stack infoleak, which allows defeating ASLR (note: not tested on hw).

+

| [[5.0.0]]

+

| [[11.0.0]]

+

| Switch: December 2020

+

| Switch: December 25, 2020

+

| Switch: [[User:Yellows8|yellows8]]

+

|-

+

| [[Bluetooth_Driver_services|Bluetooth]] sdp_server.cc process_service_search() continuation request p_req validation

+

| With [5.0.0+], the following was added to the if-block prior to loading cont_offset from p_req: <code>(p_req + sizeof(cont_offset) > p_req_end)</code> (which verifies that cont_offset is within message bounds).

+

| Bluetooth-sysmodule out-of-bounds read from heap, probably not useful since the read value must match a state field, etc.

+

| [[5.0.0]]

+

| [[11.0.0]]

+

| Switch: December 2020

+

| Switch: December 25, 2020

+

| Switch: [[User:Yellows8|yellows8]]

|-

| [[HID_services#hid:sys|hid:sys]] ButtonConfig s32 array-index not validated

Yellows8

Bureaucrats, Administrators

4,620

edits