Switch System Flaws: Difference between revisions

Line 1,037: Line 1,037:
|-
|-
| [[Migration_services|migration]] nn::migration::savedata::IServer cmd1 buffer overflow
| [[Migration_services|migration]] nn::migration::savedata::IServer cmd1 buffer overflow
| nn::migration::savedata::IServer cmd1 originally copied data from an array to the output ptr. As the output is an u64 field for the IPC cmd output, this is a field on stack. Hence, if more than 1 entry (8-bytes) are copied a stack buffer overflow will occur. Note that cmd3 loads the same data, except this has a proper output array.
| nn::migration::savedata::IServer cmd1 with [18.0.0-18.0.1] copies data from an array to the output ptr. As the output is an u64 field for the IPC cmd output, this is a field on stack. Hence, if more than 1 entry (8-bytes) are copied a stack buffer overflow will occur. Note that cmd3 loads the same data, except this has a proper output array.
It's unknown whether there's a way to actually control this data with a large enough enough size.
It's unknown whether there's a way to actually control this data with a large enough enough size.


See [[18.1.0]] for the diff/fix.
See [[18.1.0]] for the diff/fix.
| [[Migration_services|migration]] stack buffer overflow.
| [[Migration_services|migration]] stack buffer overflow, only on [18.0.0-18.0.1].
| [[18.1.0]]
| [[18.1.0]]
| [[18.1.0]]
| [[18.1.0]]