Switch System Flaws: Difference between revisions
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
This page is a list of publicly known Switch flaws. | |||
= Hardware = | = Hardware = | ||
| Line 464: | Line 464: | ||
|} | |} | ||
== | == BootImagePackage System Modules == | ||
Flaws in this category pertain to any of the [[Package2#Section_1|built-in system modules]]. | Flaws in this category pertain to any of the [[Package2#Section_1|built-in system modules]]. | ||
| Line 994: | Line 994: | ||
| January 13, 2023 | | January 13, 2023 | ||
| October 20, 2023 | | October 20, 2023 | ||
| [[User:Yellows8|yellows8]] | |||
|- | |||
| [[NV_services|nv]] NVGPU_GPU_IOCTL_GET_CHARACTERISTICS Ioctl3 infoleak | |||
| The handler code for NVGPU_GPU_IOCTL_GET_CHARACTERISTICS for Ioctl/Ioctl3 are essentially the same, except for the value used for the max-size clamp: Ioctl uses constant 0xA0, while Ioctl3 uses the outbuf1_size. So if one uses this with Ioctl3 and a large outbuf1, this will memcpy data OOB from the source buffer, hence infoleak. | |||
With [17.0.0+] the second block of csel code which previouly essentially used the clamped size from above, was replaced with code which properly clamps to the max-size constant. | |||
| nvservices-sysmodule infoleak, which allows defeating ASLR. | |||
| [[17.0.0]] | |||
| [[17.0.0]] | |||
| February 25, 2022 | |||
| October 24, 2023 | |||
| [[User:Yellows8|yellows8]] | |||
|- | |||
| [[Audio_services|audctl]] GetTargetDeviceInfo infoleak | |||
| audctl GetTargetDeviceInfo calls an impl func with a ptr to a stackbuf, then if successful memcpys the 0x100-bytes from that buffer to output. This stackbuf is not memset. This func (after doing various state checks) copies a string to output, other than always writing a NUL-terminator there's no clearing of the buffer. | |||
This will leak audio-sysmodule stack into the output buffer as long as the state/input checks pass (for the remainder of the buffer following the string NUL-terminator). | |||
With [18.0.0+] data is written directly to the outbuf instead of the stack tmpbuf. | |||
| audio-sysmodule infoleak, which allows defeating ASLR. | |||
| [[18.0.0]] | |||
| [[18.0.0]] | |||
| December 24, 2022 | |||
| March 26, 2024 | |||
| [[User:Yellows8|yellows8]] | |||
|- | |||
| [[Audio_services|audctl]] GetSystemInformationForDebug infoleak / buffer overflow | |||
| audctl GetSystemInformationForDebug calls a func with a 0x1000-byte stack tmpbuf, then afterwards that buffer is memcpy'd into the cmd outbuf. This called func doesn't clear the buffer. This func eventually uses [[BTM_services|btm]] cmd75 with outarray={global ptr} and count=10. Then if the outcount is s32 >=1, it loops through the output using the outcount, without validating it besides the <1 check. Data from that outarray is copied into the array in the func output buffer (tmpbuf above). | |||
With btm comprimised, one could return a large output count and trigger a stack buffer overflow with data following that global array, however exploiting this would be difficult since that data would be uncontrolled (can't directly control it from this cmd at least). | |||
A stack infoleak can be obtained with this as well (assuming the above output array isn't full). | |||
Even though the name has "ForDebug", there's no checks which would trigger an error / return early (this also always returns 0). | |||
[18.0.0+] now clears the output buffer, and also now prints strings into the buffer instead of writing binary data (overflow no longer possible). | |||
| audio-sysmodule infoleak, which allows defeating ASLR. Also audio-sysmodule memory corruption, likely not useful unless there's a way to control the data. | |||
| [[18.0.0]] | |||
| [[18.0.0]] | |||
| December 7, 2022 | |||
| March 27, 2024 | |||
| [[User:Yellows8|yellows8]] | | [[User:Yellows8|yellows8]] | ||
|} | |} | ||