[snip]
Usually 3dbrew writers don't provide actual unknown vulnerabilities, so I'm still wondering the following description is correct.
Yellows8 doesn't mention about the possibility of the case that s32_processorid is negative. It can result in kernel memory corruption, and eventually kernel code execution.
So, I wrote this simple PoC by modifying an example included in ctrulib.
[snip]
svcCreateThread actually returned 0 and the created thread didn't seem to work. So, my experiment is successful, probably.
Anyway, notice the following things.
- It has so many limitations and is not so easy to exploit.
- It's just ARM11 kernel vulnerability, not ARM9.