len0rd/FreeRTOS-Kernel
1
0
Fork 0
mirror of https://github.com/FreeRTOS/FreeRTOS-Kernel.git synced 2025-09-01 11:53:53 -04:00
Code Issues Projects Releases Packages Wiki Activity

Remove local stack variable form MPU wrappers

Browse source 
It was possible for a third party that had already independently gained
the ability to execute injected code to achieve further privilege
escalation by branching directly inside a FreeRTOS MPU API wrapper
function with a manually crafted stack frame. This commit removes the
local stack variable `xRunningPrivileged` so that a manually crafted
stack frame cannot be used for privilege escalation by branching
directly inside a FreeRTOS MPU API wrapper.

We thank Certibit Consulting, LLC, Huazhong University of Science and
Technology and the SecLab team at Northeastern University for reporting
this issue.

Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
This commit is contained in:
Gaurav Aggarwal 2022-09-07 14:57:37 +05:30 committed by Gaurav-Aggarwal-AWS
parent c2d616eaee
commit 79704b8213
7 changed files with 1693 additions and 490 deletions
Download patch file Download diff file Expand all files Collapse all files

56
portable/GCC/ARM_CM4_MPU/port.c
View file

@ -549,15 +549,26 @@ void vPortEndScheduler( void )
void vPortEnterCritical( void )
{
#if( configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS == 1 )
BaseType_t xRunningPrivileged;
xPortRaisePrivilege( xRunningPrivileged );
#endif
if( portIS_PRIVILEGED() == pdFALSE )
{
portRAISE_PRIVILEGE();
portMEMORY_BARRIER();
portDISABLE_INTERRUPTS();
uxCriticalNesting++;
portMEMORY_BARRIER();
portRESET_PRIVILEGE();
portMEMORY_BARRIER();
}
else
{
portDISABLE_INTERRUPTS();
uxCriticalNesting++;
}
#else
portDISABLE_INTERRUPTS();
uxCriticalNesting++;
#if( configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS == 1 )
vPortResetPrivilege( xRunningPrivileged );
#endif
}
/*-----------------------------------------------------------*/
@ -565,10 +576,34 @@ void vPortEnterCritical( void )
void vPortExitCritical( void )
{
#if( configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS == 1 )
BaseType_t xRunningPrivileged;
xPortRaisePrivilege( xRunningPrivileged );
#endif
if( portIS_PRIVILEGED() == pdFALSE )
{
portRAISE_PRIVILEGE();
portMEMORY_BARRIER();
configASSERT( uxCriticalNesting );
uxCriticalNesting--;
if( uxCriticalNesting == 0 )
{
portENABLE_INTERRUPTS();
}
portMEMORY_BARRIER();
portRESET_PRIVILEGE();
portMEMORY_BARRIER();
}
else
{
configASSERT( uxCriticalNesting );
uxCriticalNesting--;
if( uxCriticalNesting == 0 )
{
portENABLE_INTERRUPTS();
}
}
#else
configASSERT( uxCriticalNesting );
uxCriticalNesting--;
@ -576,9 +611,6 @@ void vPortExitCritical( void )
{
portENABLE_INTERRUPTS();
}
#if( configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS == 1 )
vPortResetPrivilege( xRunningPrivileged );
#endif
}
/*-----------------------------------------------------------*/