Changes

Jump to navigation Jump to search

Wii U system flaws (view source)

Revision as of 22:08, 27 December 2016

431 bytes added ,  22:08, 27 December 2016
get_process_name (syscall 0x6) signed comparison fail
Line 133: Line 133:  
However, if a new thread is created as "detached" (detached state set to true), the top 0x24 bytes of the thread's stack are memset back to null.
 
However, if a new thread is created as "detached" (detached state set to true), the top 0x24 bytes of the thread's stack are memset back to null.
 
By creating several new detached threads and aligning their stacks carefully, it becomes possible to build a NOP sled again.
 
By creating several new detached threads and aligning their stacks carefully, it becomes possible to build a NOP sled again.
 +
 +
===get_process_name (syscall 0x6) signed comparison fail===
 +
'''Present in system versions''': 1.0.0-5.5.1
 +
 +
'''Publicly exploited''': No (but easy to exploit)
 +
 +
'''Discovered by''': plutoo, Mrrraou (independently, on October 31th 2016)
 +
 +
get_process_name (syscall 0x6) does a signed comparison for the pid parameter (r0) and does not check if the pid is negative, which allows an arbitrary 0x20 bytes kernel read to userland memory.
Mrrraou
2

edits

Retrieved from "https://wiiubrew.org/wiki/Special:MobileDiff/2386"

Navigation menu