From 7a98bd8d7831fc6a17c0d8d75d3ff8b19a896b21 Mon Sep 17 00:00:00 2001
From: Gaurav Aggarwal <aggarg@amazon.com>
Date: Fri, 16 Sep 2022 15:17:39 +0530
Subject: [PATCH] Added checks for xIndex in ThreadLocalStorage APIs

It was possible for a third party that already independently gained the
ability to execute injected code to read from or write to arbitrary
addresses by passing a negative argument as the xIndex parameter to
pvTaskGetThreadLocalStoragePointer() or
vTaskSetThreadLocalStoragePointer respectively.

This commit adds checks to ensure that passing a negative argument as
the xIndex parameter does not cause arbitrary read or write.

We thank Certibit Consulting, LLC for reporting this issue.

Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
---
 tasks.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/tasks.c b/tasks.c
index 8a7bf9875..2435d7051 100644
--- a/tasks.c
+++ b/tasks.c
@@ -3600,7 +3600,8 @@ static portTASK_FUNCTION( prvIdleTask, pvParameters )
     {
         TCB_t * pxTCB;
 
-        if( xIndex < configNUM_THREAD_LOCAL_STORAGE_POINTERS )
+        if( ( xIndex >= 0 ) &&
+            ( xIndex < configNUM_THREAD_LOCAL_STORAGE_POINTERS ) )
         {
             pxTCB = prvGetTCBFromHandle( xTaskToSet );
             configASSERT( pxTCB != NULL );
@@ -3619,7 +3620,8 @@ static portTASK_FUNCTION( prvIdleTask, pvParameters )
         void * pvReturn = NULL;
         TCB_t * pxTCB;
 
-        if( xIndex < configNUM_THREAD_LOCAL_STORAGE_POINTERS )
+        if( ( xIndex >= 0 ) &&
+            ( xIndex < configNUM_THREAD_LOCAL_STORAGE_POINTERS ) )
         {
             pxTCB = prvGetTCBFromHandle( xTaskToQuery );
             pvReturn = pxTCB->pvThreadLocalStoragePointers[ xIndex ];