Line 118: |
Line 118: |
| | {{SortableMonth}} | | | {{SortableMonth}} |
| | Unknown | | | Unknown |
| + | |- |
| + | | Kernel |
| + | | /dev/sha does not correctly validate the destination vector {{Anchor|ios-shaaddr}} |
| + | | /dev/sha does not check the length of an output vector for ioctlv 0 (SHA_Init), allowing the IOS memory bounds check to be bypassed by setting the length to 0. SHA_Init will attempt to initialise a context into the destination address regardless, and in doing so sets a few values within to 0. By providing the thread context of the kernel idle thread as the destination vector, IOS's kernel will branch to memory address 0. |
| + | | Running IOS kernel-mode code in memory controllable via the PowerPC. |
| + | | Unfixed |
| + | | {{SortableMonth|May|2021}} |
| + | | {{User|TheLordScruffy}} |
| |- | | |- |
| | ES | | | ES |