Nintendo Switch Brew

Changes

Switch System Flaws (view source)

Revision as of 17:58, 21 November 2022

1,377 bytes added ,  17:58, 21 November 2022
→‎Pia
Line 1,061: Line 1,061:  
Hence, stack buffer overflow. Note that there's similar loop code in nearby funcs, which do validate the count properly.
 
Hence, stack buffer overflow. Note that there's similar loop code in nearby funcs, which do validate the count properly.
   −
In fixed versions the arraycount field is now validated. However it seems at some point this fix was reverted, in v5.11.3 (exact starting version unknown) the check isn't present, while in v5.18.98 it is present (exact starting version unknown).
+
In fixed versions the arraycount field is now validated.
 
| Stack buffer overflow triggered by a Pia SessionProtocol message.
 
| Stack buffer overflow triggered by a Pia SessionProtocol message.
 
| v5.9.3, see above.
 
| v5.9.3, see above.
Line 1,080: Line 1,080:  
| November 19, 2022
 
| November 19, 2022
 
|  
 
|  
 +
|-
 +
| nn::pia::session::JoinMeshJob::SetStationDataList OOB read/write/vfunc-call
 +
| <code>nn::pia::session::JoinMeshJob::SetStationDataList</code>is called by <code>nn::pia::session::MeshProtocol::ParseJoinResponse(nn::pia::transport::ReceivedMessageAccessor const&)></code> with the ReceivedMessageAccessor buffer.
 +
SetStationDataList will update state and immediately return if the join was denied. It will also validate the num_mesh_stations field against state.
 +
 +
The input buffer size is ignored.
 +
 +
The num_fragments field must be value 1 or <=3 otherwise it will return, there's two seperate code blocks handling these.
 +
 +
Other than the checks at the start, there's no validation for the index fields. So large enough values could result in OOB-reads.
 +
 +
When handling multiple fragments, it will loop through the stationinfo list. There is no validation for the u8 count field or the baseindex field. It calls a vfunc from obj baseptr+index*{entrysize} with data from the buffer, where index starts with the above baseindex field. Afterwards, an u8 is copied into an u32 array (with certain versions an u16 is deserialized into an u16 array).
 +
 +
With fixed versions (v5.18.98, exact version unknown) various validation was added. Additional/updated validation was added in a later version (v5.31.0, exact version unknown).
 +
| OOB read/write / vfunc call where the object is selected by an OOB index, triggered by a Pia MeshProtocol message.
 +
| v5.18.98 and v5.31.0 (exact versions unknown).
 +
| v5.31.0
 +
| November 18, 2022
 +
| November 21, 2022
 +
| [[User:Yellows8|yellows8]]
 
|}
 
|}
  
Retrieved from "https://switchbrew.org/wiki/Special:MobileDiff/12049"