len0rd/FreeRTOS-Kernel
1
0
Fork 0
mirror of https://github.com/FreeRTOS/FreeRTOS-Kernel.git synced 2025-04-19 21:11:57 -04:00
Code Issues Packages Projects Releases Wiki Activity

Added checks for xIndex in ThreadLocalStorage APIs

Browse source 
It was possible for a third party that already independently gained the
ability to execute injected code to read from or write to arbitrary
addresses by passing a negative argument as the xIndex parameter to
pvTaskGetThreadLocalStoragePointer() or
vTaskSetThreadLocalStoragePointer respectively.

This commit adds checks to ensure that passing a negative argument as
the xIndex parameter does not cause arbitrary read or write.

We thank Certibit Consulting, LLC for reporting this issue.

Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
This commit is contained in:
Gaurav Aggarwal 2022-09-16 15:17:39 +05:30 committed by Gaurav-Aggarwal-AWS
parent da73aa6329
commit 7a98bd8d78
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
tasks.c
View file

@ -3600,7 +3600,8 @@ static portTASK_FUNCTION( prvIdleTask, pvParameters )
{ {
TCB_t * pxTCB; TCB_t * pxTCB;
if( xIndex < configNUM_THREAD_LOCAL_STORAGE_POINTERS ) if( ( xIndex >= 0 ) &&
( xIndex < configNUM_THREAD_LOCAL_STORAGE_POINTERS ) )
{ {
pxTCB = prvGetTCBFromHandle( xTaskToSet ); pxTCB = prvGetTCBFromHandle( xTaskToSet );
configASSERT( pxTCB != NULL ); configASSERT( pxTCB != NULL );
@ -3619,7 +3620,8 @@ static portTASK_FUNCTION( prvIdleTask, pvParameters )
void * pvReturn = NULL; void * pvReturn = NULL;
TCB_t * pxTCB; TCB_t * pxTCB;
if( xIndex < configNUM_THREAD_LOCAL_STORAGE_POINTERS ) if( ( xIndex >= 0 ) &&
( xIndex < configNUM_THREAD_LOCAL_STORAGE_POINTERS ) )
{ {
pxTCB = prvGetTCBFromHandle( xTaskToQuery ); pxTCB = prvGetTCBFromHandle( xTaskToQuery );
pvReturn = pxTCB->pvThreadLocalStoragePointers[ xIndex ]; pvReturn = pxTCB->pvThreadLocalStoragePointers[ xIndex ];