john

So finding that untethered iBoot-1145.3(.3) 0day is just not my fate And all the people who could help me with that are so fucking tired of my annoyance that no longer even talk to me

Anyway, I think I'm done with all this nonsense, completely this time. I struggle with F20.0 and people with F20.0 are usually dumber than healthy people - I feel that every day I live this frigging life

On the other hand, someone told me I’m on “the right path”, when I told them about this discovery, so maybe it’s not that useless in the end?

Unfortunately, certificate data isn’t modified in any way while validation, so that bug doesn’t seem to be very useful. Maybe there’s a point to look inside of PKI code?

For example, you can make CERT’s buffer length value a very big number, overlaping the Image3, load area, SRAM itself… By constructing malformed certificate I managed to trigger ARM prefetch abort exception (it tried to read somewhere far behind the SRAM bounds)

So by setting shsh_tag->itBufferLength to a high enough value, but not that high to overflow sizeNoPack bounds, you can corrupt CERT tag header and data!

On A6 it leads to a panic! But don’t worry, it’s just an assertion in malloc() (“malloc() must allocate at least one byte” or something like this) triggered when it cannot allocate anything

The caller then passes it to image3InstantiateFromBuffer() with copyBuffer arg set to true. That arg makes it allocate a new buffer on the heap for the image and copy it to there

But unfortunately checks around it are too good (are they actually?)

Although the expression is arithmetically same, there’s no summing anymore, only subtraction. Underflowing the right part of the expression would have been very convenient, as it will allow arbitrary number of bytes to be memsetted

This line validates buffer length of SHSH tag. But if we set shsh_tag->itBufferLength to a high enough value (near 0xFFFFFFFF), the sum will overflow and become a small number, so the check will be passed