Remove local stack variable form MPU wrappers

It was possible for a third party that had already independently gained the ability to execute injected code to achieve further privilege escalation by branching directly inside a FreeRTOS MPU API wrapper function with a manually crafted stack frame. This commit removes the local stack variable `xRunningPrivileged` so that a manually crafted stack frame cannot be used for privilege escalation by branching directly inside a FreeRTOS MPU API wrapper. We thank Certibit Consulting, LLC, Huazhong University of Science and Technology and the SecLab team at Northeastern University for reporting this issue. Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
2025-08-19 17:48:33 -04:00 · 2022-09-07 14:57:37 +05:30 · 2022-09-07 14:57:37 +05:30 · 79704b8213
commit 79704b8213
parent c2d616eaee
7 changed files with 1693 additions and 490 deletions
--- a/include/mpu_wrappers.h
+++ b/include/mpu_wrappers.h
@ -173,36 +173,6 @@
        #define PRIVILEGED_DATA         __attribute__( ( section( "privileged_data" ) ) )
        #define FREERTOS_SYSTEM_CALL    __attribute__( ( section( "freertos_system_calls" ) ) )

-/**
- * @brief Calls the port specific code to raise the privilege.
- *
- * Sets xRunningPrivileged to pdFALSE if privilege was raised, else sets
- * it to pdTRUE.
- */
-        #define xPortRaisePrivilege( xRunningPrivileged )                  \
-    {                                                                      \
-        /* Check whether the processor is already privileged. */           \
-        ( xRunningPrivileged ) = portIS_PRIVILEGED();                      \
-                                                                           \
-        /* If the processor is not already privileged, raise privilege. */ \
-        if( ( xRunningPrivileged ) == pdFALSE )                            \
-        {                                                                  \
-            portRAISE_PRIVILEGE();                                         \
-        }                                                                  \
-    }
-
-/**
- * @brief If xRunningPrivileged is not pdTRUE, calls the port specific
- * code to reset the privilege, otherwise does nothing.
- */
-        #define vPortResetPrivilege( xRunningPrivileged ) \
-    {                                                     \
-        if( ( xRunningPrivileged ) == pdFALSE )           \
-        {                                                 \
-            portRESET_PRIVILEGE();                        \
-        }                                                 \
-    }
-
    #endif /* MPU_WRAPPERS_INCLUDED_FROM_API_FILE */

 #else /* portUSING_MPU_WRAPPERS */