Switch System Flaws: Difference between revisions
Line 1,037: | Line 1,037: | ||
|- | |- | ||
| [[Migration_services|migration]] nn::migration::savedata::IServer cmd1 buffer overflow | | [[Migration_services|migration]] nn::migration::savedata::IServer cmd1 buffer overflow | ||
| nn::migration::savedata::IServer cmd1 | | nn::migration::savedata::IServer cmd1 with [18.0.0-18.0.1] copies data from an array to the output ptr. As the output is an u64 field for the IPC cmd output, this is a field on stack. Hence, if more than 1 entry (8-bytes) are copied a stack buffer overflow will occur. Note that cmd3 loads the same data, except this has a proper output array. | ||
It's unknown whether there's a way to actually control this data with a large enough enough size. | It's unknown whether there's a way to actually control this data with a large enough enough size. | ||
See [[18.1.0]] for the diff/fix. | See [[18.1.0]] for the diff/fix. | ||
| [[Migration_services|migration]] stack buffer overflow. | | [[Migration_services|migration]] stack buffer overflow, only on [18.0.0-18.0.1]. | ||
| [[18.1.0]] | | [[18.1.0]] | ||
| [[18.1.0]] | | [[18.1.0]] |