Changes

Jump to navigation Jump to search

Switch System Flaws (view source)

Revision as of 01:19, 17 December 2018

720 bytes added ,  01:19, 17 December 2018
→‎Hardware: Hekate implemented this in https://github.com/CTCaer/hekate/commit/8b8f3c564c686db6e4ed7210114547c70d8a2fde
Line 62: Line 62:  
| April 9, 2018
 
| April 9, 2018
 
| [[User:SciresM|SciresM]], almost surely others (independently).
 
| [[User:SciresM|SciresM]], almost surely others (independently).
 +
|-
 +
| Poor validation of bootrom SDRAM configuration parameters leads to arbitrary writes in bootrom
 +
|
 +
The Tegra X1 bootrom supports saving SDRAM parameters to scratch registers, and using the saved configuration to enable DRAM during warmboot.
 +
 +
The code that parses these parameters does if (params->EmcBctSpareN) *params->EmcBctSpareN = params->EmcBctSpareNPlusOne for most N, without validating either the address or value written to it.
 +
There are other arbitrary writes in this code, as well.
 +
 +
This allows a user with access to the PMC registers (via pre-sleep bpmp execution, or otherwise) to gain arbitrary bootrom code execution.
 +
| None
 +
| HAC-001 (Tegra210)
 +
| 2017
 +
| December 16, 2018
 +
| Everyone (independently).
 
|}
 
|}
  
Retrieved from "https://switchbrew.org/wiki/Special:MobileDiff/5821"

Navigation menu