Switch System Flaws: Difference between revisions
| Line 547: | Line 547: | ||
! Public disclosure timeframe | ! Public disclosure timeframe | ||
! Discovered by | ! Discovered by | ||
|- | |||
| [[Bluetooth_Driver_services|bluetooth]] WriteHidData/WriteHidData2/SetHidReport unchecked memcpy size | |||
| WriteHidData/SetHidReport copies the input struct to stack, then passes it to the funcptr/vfunc call. WriteHidData2 passes the input buffer addr directly to the funcptr/vfunc call. The called func eventually copies the input data to the stack struct using the specified size without validating it. | |||
This requires access to the btdrv service, only hid and btm have access. | |||
This was fixed with [[12.1.0]] in WriteHidData/SetHidReport by doing a fixed-size copy into another tmp struct, with the size field being clamped to a maximum of 0x2BB afterwards. This struct is then used when calling the vfunc. The vfuncs called by WriteHidData/WriteHidData2/SetHidReport were also updated to clamp the size to the required maximum value. | |||
| Stack buffer overflow | |||
| [[12.1.0]] | |||
| [[12.1.0]] | |||
| July 16, 2020 | |||
| July 6, 2021 | |||
| [[User:Yellows8|yellows8]] | |||
|- | |- | ||
| [[Bluetooth_Driver_services|bluetooth]] stack buffer overflow with HID DATA packets | | [[Bluetooth_Driver_services|bluetooth]] stack buffer overflow with HID DATA packets | ||
| Line 572: | Line 584: | ||
| [[12.0.0]] | | [[12.0.0]] | ||
| [[12.0.0]] | | [[12.0.0]] | ||
| July | | July 17, 2020 | ||
| April 7, 2021 | | April 7, 2021 | ||
| [[User:Yellows8|yellows8]] | | [[User:Yellows8|yellows8]] | ||