4,562
edits
Changes
Jump to navigation
Jump to search
Line 547:
Line 547: + + + + + + + + + + + + +
→System Modules
! Public disclosure timeframe
! Public disclosure timeframe
! Discovered by
! Discovered by
|-
| [[SSL_services|ssl]] CVE-2021-43527
| CVE-2021-43527, see also [https://bugs.chromium.org/p/project-zero/issues/detail?id=2237 here] and [https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html here].
Using BigSig where the server cert sig is RSA-PSS results in the remote server throwing {no shared cipher} error when Switch connects. If however one creates a rootCA using BigSig (RSA-PSS), which then signs a server cert where the server key is RSA (not PSS), the vuln can be triggered (if the rootCA is trusted, via using the import service-cmd). It's unknown whether there's other ways to trigger the vuln.
The crash occurs in VFY_Begin when using the previously overwritten data. A bitsize of <code>$((16384 + 32 + 64 + 64 + 64))</code> is only enough to overwrite cx->hashcx, to fully overwrite cx->hashobj an additional 0xC-bytes (additional 96 bits) is needed.
Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow).
| Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a funcptr.
| 13.2.1
| 13.2.1
| Switch: December 1-2, 2021
| Switch: Janurary 19, 2022
|
|-
|-
| [[Bluetooth_Driver_services|bluetooth]] EventInfo infoleak
| [[Bluetooth_Driver_services|bluetooth]] EventInfo infoleak