Changes

1,305 bytes added ,  07:03, 30 July 2017
bootloader stage 1 flaw fixed in 3.0.0
Line 23: Line 23:     
== System software ==
 
== System software ==
=== Kernel ===
+
 
 +
 
 +
=== Stage 1 Bootloader ===
 +
{| class="wikitable" border="1"
 +
|-
 +
!  Summary
 +
!  Description
 +
!  Successful exploitation result
 +
!  Fixed in system version
 +
!  Last system version this flaw was checked for
 +
!  Timeframe this was discovered
 +
!  Public disclosure timeframe
 +
!  Discovered by
 +
|-
 +
|  Null-dereference in panic()
 +
|  The Switch's stage 1 bootloader, on panic(), clears the stack and then attempts to clear the Security Engine. However, it does so by dereferencing a pointer to the SE in .bss (initially NULL), and this pointer doesn't get initialized until partway into the bootloader's main(). Thus, a panic() caused prior to SE initialization would result in the SE pointer still being NULL when dereferenced. This would cause a data abort, causing the bootloader to clear the stack and then try to clear the security engine...dereferencing NULL again, over and over in a loop.
 +
 
 +
In 3.0.0, this was fixed by moving the security engine initialization earlier in main(), before the first function that could potentially panic().
 +
|  Infinite clear-the-stack-then-data-abort loop very early in boot, before SBK/other keyslots are cleared. Probably useless for anything more interesting.
 +
|  [[3.0.0]]
 +
|  [[3.0.0]]
 +
|  Early July, 2017
 +
|  July 30, 2017
 +
|  Everyone who diff'd 2.3.0 and 3.0.0 Package1
 +
|-
 +
|}
 +
 
 +
 
 +
=== TrustZone ===
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 35: Line 63:  
!  Discovered by
 
!  Discovered by
 
|-
 
|-
|  No public Kernel exploits  
+
|  No public ARM TrustZone exploits  
 
|
 
|
 
|
 
|
Line 46: Line 74:  
|}
 
|}
   −
=== TrustZone ===
+
=== Kernel ===
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 58: Line 86:  
!  Discovered by
 
!  Discovered by
 
|-
 
|-
|  No public ARM TrustZone exploits  
+
|  No public Kernel exploits  
 
|
 
|
 
|
 
|
Line 68: Line 96:  
|-
 
|-
 
|}
 
|}
 +
    
=== System Modules ===
 
=== System Modules ===