Hello, 2 days ago, @TuxSH revealed (on 3dbrew) a bug he found in ARM11 Kernel.
Summary : svcGetThreadList (svc 0x66) process reference leak
Description given : When given a valid process handle (including 0xFFFF8001), svcGetThreadList forgets to decrement the reference count of the underlying KProcess instance, after having finished using it.
What could happen if we exploit this bug : Before 11.2: reference count overflow and therefore use-after-free, but this UAF was most likely not exploitable
Note (by me, lol) :
- 0xFFFF8001 = Current KProcess Handle
- Kernel Objects are C++ Virtual Classes : So, it means vtable (so, if you find a UAF bug in KObject management, it is "probably" exploitable)
From what i understood ; if that UAF were exploitable, it would lead to K11 Code Execution, because it means vtable call (from a forged vtable)
and pssstt... kernel exploit doesn't always mean code execution
Summary : svcGetThreadList (svc 0x66) process reference leak
Description given : When given a valid process handle (including 0xFFFF8001), svcGetThreadList forgets to decrement the reference count of the underlying KProcess instance, after having finished using it.
What could happen if we exploit this bug : Before 11.2: reference count overflow and therefore use-after-free, but this UAF was most likely not exploitable
Note (by me, lol) :
- 0xFFFF8001 = Current KProcess Handle
- Kernel Objects are C++ Virtual Classes : So, it means vtable (so, if you find a UAF bug in KObject management, it is "probably" exploitable)
From what i understood ; if that UAF were exploitable, it would lead to K11 Code Execution, because it means vtable call (from a forged vtable)
and pssstt... kernel exploit doesn't always mean code execution
Last edited by NexoCube,