885
edits
Changes
Jump to navigation
Jump to search
Line 85:
Line 85: + Line 100:
Line 101: + + Line 233:
Line 236: + + + Line 241:
Line 247: + + + + + + Line 262:
Line 274: − + + + + + + + + + + − This is used to add/subtract x30 starting with bit40, during functions entry/exit.+ − blr instructions no longer exist: when funcptrs are called, new functions are now called instead which handles the call. The u32 at funcptr_addr-4 must match 0xe7ffdefe, otherwise it will branch to undefined instruction 0x0000dead. Otherwise, it will jump to the funcptr_addr.+ − Almost all functions now have the above u32 at -4, therefore funcptr calls now have to start at the actual funcptr start. However, this doesn't apply to calls done during functions' exit: these directly br to the funcptr_addr without extra validation.+ − The above applies to all NSOs in ExeFs.+
→creport-sysmodule
** Several callsites now verify that last_address != 0xFFFF...
** Several callsites now verify that last_address != 0xFFFF...
* KMemoryRegionAllocator now uses a slabheap of count 200 instead of 1000.
* KMemoryRegionAllocator now uses a slabheap of count 200 instead of 1000.
* KLinkedListNode now has slab size = #KThreads instead of #KThreads * 17.
* "Virtual" cores now supported, KThread now stores core ID/affinity for both virtual and physical.
* "Virtual" cores now supported, KThread now stores core ID/affinity for both virtual and physical.
* New SVC 0x37 "GetResourceLimitPeakValue"
* New SVC 0x37 "GetResourceLimitPeakValue"
* KConditionVariable now sets the cv_key u32 value in userspace to 1 when a condvar has waiters, and to 0 when it does not.
* KConditionVariable now sets the cv_key u32 value in userspace to 1 when a condvar has waiters, and to 0 when it does not.
** New nnSdk code relies on this behavior.
** New nnSdk code relies on this behavior.
* SetupStackForUserModeThreadStarter (KThreadContext::Initialize) now sets X18 to (<cryptographically random u64> | 1), this value is unique for each thread.
** This is used for Pointer Authentication changes in web browser.
* KCoreLocalRegion deleted, replaced with pointer-to-current-thread
* KCoreLocalRegion deleted, replaced with pointer-to-current-thread
** TPIDR_EL1 != X18 now, and TPIDR_EL1 now always points to the exception thread stack.
** TPIDR_EL1 != X18 now, and TPIDR_EL1 now always points to the exception thread stack.
The new Nintendo Switch Online menu (which can be launched via qlaunch) is handled by [[Internet_Browser#Whitelisted_Applets|LibraryAppletLoginShare]].
The new Nintendo Switch Online menu (which can be launched via qlaunch) is handled by [[Internet_Browser#Whitelisted_Applets|LibraryAppletLoginShare]].
=== [[HID_services|hid]]-sysmodule ===
Besides IPC changes, the ButtonConfig cmds updated the input s32 validation: when the input s32 is invalid (which now uses an unsigned compare), it now returns 0 or an error immediately, instead of Aborting.
=== [[LDN_services|ldn]]-sysmodule ===
=== [[LDN_services|ldn]]-sysmodule ===
See also [[#OSS]].
See also [[#OSS]].
=== [[PGL_services|pgl]]-sysmodule ===
* pgl now has a new ipc command, which just returns "ResultNotImplemented()"
* pgl now detects when SnapShotDumper crashes, and launches creport in that case.
* pgl now passes an additional argument to creport ("%d", formatted with the value of jit_debug!enable_jit_debug).
=== [[Creport|creport]]-sysmodule ===
=== [[Creport|creport]]-sysmodule ===
* creport now takes in an additional argument "jit_debug_enabled", when this is "1" the target process is not terminated on report completion.
* creport now has access to fsp-srv, this is used to retrieve debugging information that is now attached to error reports. The following functions are called (with output/info attached to erpts):
* creport now has access to fsp-srv, this is used to retrieve debugging information that is now attached to error reports. The following functions are called (with output/info attached to erpts):
** GetSdCardSpeedMode
** GetSdCardSpeedMode
=== [[Internet_Browser|Web-applets]] ===
=== [[Internet_Browser|Web-applets]] ===
These are now compiled with compiler CFI mitigations enabled. This does not apply to non-web-applets. This uses the crc32x instruction, and x18 as a previously-initialized constant.
These are now compiled with compiler Pointer Authentication / CFI mitigations enabled. This does not apply to non-web-applets.
Pointer Authentication uses the crc32x instruction, and x18 as a cryptographically-random u64 provided by the kernel. The only userland code using x18 is the mul instruction for this, nothing else (applies to all NSOs/NROs).
This is used to add/subtract x30 starting with bit40, during functions entry/exit. The code for entry/exit is identical, except that entry does add, and exit uses subtract:
* The low 40-bits of x30 are extracted, then multiplied with x18.
* <code>crc32x w17, wzr, x17</code> (which uses the above value)
* Then the previously mentioned add/subtraction operation is done, with the output from the above shifted to bit40.
The x18 is OR'd by kernel with 1, to make sure it is odd. This means that the multiply is a bijection; in other words, no entropy is lost when doing the multiply. If this had not been done, a random value that is divisible by a large power of two (the attacker can just keep spawning threads until gets such a one), would have weak cookies that allows the scheme to be trivially broken.
CFI is implemented as follows: blr instructions no longer exist. When funcptrs are called, new functions are now called instead which handles the call. The u32 at funcptr_addr-4 must match 0xe7ffdefe, otherwise it will branch to undefined instruction 0x0000dead. Otherwise, it will jump to the funcptr_addr.
Almost all functions now have the above u32 at -4, therefore funcptr calls now have to start at the actual funcptr start. However, this doesn't apply to calls done during functions' exit: these directly br to the funcptr_addr without extra validation. The br instructions in the .plt were also replaced with branches to the function described above.
The above applies to all NSOs in ExeFs, except for LibraryAppletOfflineWeb which doesn't have it enabled. The NROs in the BrowserDll SystemData have it enabled for "/nro/netfront/dll_1/", however "dll_0" doesn't have it enabled (which is used by LibraryAppletOfflineWeb).
This is referred to in the build-path strings as "NX-NXFP2-a64-cfi" (nnSdkEmpty), and "NX64-cfi" (OSS).
=== LibraryAppletPhotoViewer ===
=== LibraryAppletPhotoViewer ===