5,579
edits
Changes
ββIOS: fixed some formatting issues and added the other STM bug fixed in 4.2
Line 211:
Line 211:
|-
|-
| SDI
| SDI
β| Register access IOCTLs use ints for register IDs
+| Register access IOCTLs use ints for register IDs {{Anchor|ios-sdiregisterid}}
| IOCTLs 1 and 2 in [[:/dev/sdio]] devices are used to write or read register values. When passing 4 at offset 0xC in the in buffer, this manipulation appears to happen in some cached register set linked to the file descriptor. If an index outside this pool is passed, it becomes possible to access arbitrary memory that SDI can access.
| IOCTLs 1 and 2 in [[:/dev/sdio]] devices are used to write or read register values. When passing 4 at offset 0xC in the in buffer, this manipulation appears to happen in some cached register set linked to the file descriptor. If an index outside this pool is passed, it becomes possible to access arbitrary memory that SDI can access.
Line 217:
Line 217:
| Leaking or rewriting memory as SDI. Possibly used by [[HackMii Installer]] 0.5 and 0.6.
| Leaking or rewriting memory as SDI. Possibly used by [[HackMii Installer]] 0.5 and 0.6.
| [[4.2rev04]]
| [[4.2rev04]]
β| Unknown (documented in May 2022)
+| {{SortableMonth}} (documented in May 2022)
| Unknown
| Unknown
|-
|-
Line 228:
Line 228:
| {{User|Fullmetal5}}
| {{User|Fullmetal5}}
|-
|-
β| STM
+| STM
β| STM release bug {{Anchor|ios-stmrelease}}
+| STM release bug {{Anchor|ios-stmrelease}}
β| The state transition manager checks if a handle is invalid before releasing it, but forgets to actually refuse to release it if it is invalid. More information can be seen at [[STM Release Exploit]]
+| The state transition manager checks if a handle is invalid before releasing it, but forgets to actually refuse to release it if it is invalid. More information can be seen at [[STM Release Exploit]]
| Control over IOS can be gained.
| Control over IOS can be gained.
| [[4.0]]
| [[4.0]]
| {{SortableMonth}}
| {{SortableMonth}}
| [[fail0verflow]], Anonymous person (from reverse engineering [[Homebrew Channel]] installer)
| [[fail0verflow]], Anonymous person (from reverse engineering [[Homebrew Channel]] installer)
+|-
+| STM
+| [[:/dev/stm/eventhook|STM_EventHook]] output size is not checked {{Anchor|ios-stmeventout}}
+| When releasing an event hook through [[:/dev/stm/immediate]], STM writes a 0 word to the output buffer for the STM_EventHook request that was waiting. This code does not check whether the output buffer has the right amount of space, meaning if the size is set to 0, the kernel will not verify any addresses when passing an output address, and an arbitrary pointer accessible by STM can be zeroed by releasing the hook.
+| Zeroing any memory as STM. Possibly used in the pre-0.5 versions of the [[HackMii Installer]].
+| [[4.2]]
+| {{SortableMonth}} (documented in May 2022)
+| Unknown
|}
|}