Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1,293: | Line 1,293: | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' somewhere between 6.00 and 6.20 FW | '''Yes''' somewhere between 6.00 and 6.20 FW | ||
---- | |||
=== FW <= 4.07 - sys_thr_get_ucontext Information Leak (kASLR defeat) === | |||
==== Analysis ==== | |||
[https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/%22NamedObj%22%204.05%20Kernel%20Exploit%20Writeup.md#vector-sys_thr_get_ucontext Specter's Writeup] | |||
==== Bug Description ==== | |||
System call 634 or sys_thr_get_ucontext() allows to obtain information on a given thread. The vulnerability is, some areas of memory copied out are not initialized, and thus the function leaks memory at certain spots. This vector was patched in 4.50, as now before the buffer is used it is initialized to 0 via bzero(). | |||
==== Exploit Implementation ==== | |||
[https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit PS4 4.05 WebKit + Kernel Exploit] | |||
==== Patched ==== | |||
'''Yes''' in 4.50 FW | |||
---- | ---- | ||