From fc253649315aed0be745970fb73a803c2d8ee85f Mon Sep 17 00:00:00 2001 From: Archit Gupta Date: Mon, 15 Jun 2026 17:34:12 +0000 Subject: [PATCH 1/4] Fix duplicate Doxygen \defgroup id for uxTaskBasePriorityGet (#1426) uxTaskBasePriorityGet reused the \defgroup id 'uxTaskPriorityGet' already defined by uxTaskPriorityGet, only with a different title. Doxygen reported: task.h: warning: group uxTaskPriorityGet: ignoring title "uxTaskBasePriorityGet" that does not match old title "uxTaskPriorityGet" Give uxTaskBasePriorityGet its own group id so both functions are documented correctly. --- include/task.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/task.h b/include/task.h index 2a19fa73f..2add58b94 100644 --- a/include/task.h +++ b/include/task.h @@ -1050,7 +1050,7 @@ UBaseType_t uxTaskPriorityGetFromISR( const TaskHandle_t xTask ) PRIVILEGED_FUNC * * @return The base priority of xTask. * - * \defgroup uxTaskPriorityGet uxTaskBasePriorityGet + * \defgroup uxTaskBasePriorityGet uxTaskBasePriorityGet * \ingroup TaskCtrl */ UBaseType_t uxTaskBasePriorityGet( const TaskHandle_t xTask ) PRIVILEGED_FUNCTION; From 83e56c38ee181357a3a95ece7b57c515fed70d2b Mon Sep 17 00:00:00 2001 From: Archit Gupta Date: Mon, 15 Jun 2026 22:30:25 +0000 Subject: [PATCH 2/4] Disallow unprivileged critical sections with MPU wrappers v2 (#1427) When using MPU wrappers version 2 (configUSE_MPU_WRAPPERS_V1 == 0), portRAISE_PRIVILEGE() is a no-op because the portSVC_RAISE_PRIVILEGE handler is compiled only for MPU wrappers version 1. As a result, an unprivileged task that calls taskENTER_CRITICAL() does not actually raise its privilege, so the subsequent BASEPRI write is ignored by the hardware and the critical section silently fails to mask interrupts. This produces latent, hard-to-debug faults. configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is therefore not supported with MPU wrappers version 2. In the ARMv7-M MPU ports: - When the option is left undefined under v2, default it to 0 instead of 1 so the dangerous default configuration is safe. - When the option is explicitly set to 1 under v2, raise a compile-time #error so the unsupported configuration is rejected loudly rather than failing silently at run time. Behaviour for MPU wrappers version 1 is unchanged. --- portable/GCC/ARM_CM3_MPU/port.c | 14 ++++++++++++-- portable/GCC/ARM_CM4_MPU/port.c | 14 ++++++++++++-- portable/IAR/ARM_CM4F_MPU/port.c | 14 ++++++++++++-- portable/RVDS/ARM_CM4_MPU/port.c | 14 ++++++++++++-- 4 files changed, 48 insertions(+), 8 deletions(-) diff --git a/portable/GCC/ARM_CM3_MPU/port.c b/portable/GCC/ARM_CM3_MPU/port.c index 8c4dd7800..c8d3439b6 100644 --- a/portable/GCC/ARM_CM3_MPU/port.c +++ b/portable/GCC/ARM_CM3_MPU/port.c @@ -55,9 +55,19 @@ #define portNVIC_SYSTICK_CLK ( 0 ) #endif +/* Unprivileged critical sections are not supported when using MPU wrappers + * version 2. Default the option to 0 and reject an explicit value of 1. */ #ifndef configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS - #warning "configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not defined. We recommend defining it to 0 in FreeRTOSConfig.h for better security." - #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS 1 + #if ( configUSE_MPU_WRAPPERS_V1 == 0 ) + #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS 0 + #else + #warning "configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not defined. We recommend defining it to 0 in FreeRTOSConfig.h for better security." + #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS 1 + #endif +#else + #if ( ( configUSE_MPU_WRAPPERS_V1 == 0 ) && ( configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS == 1 ) ) + #error configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not supported with MPU wrappers version 2 ( configUSE_MPU_WRAPPERS_V1 == 0 ). + #endif #endif /* Prototype of all Interrupt Service Routines (ISRs). */ diff --git a/portable/GCC/ARM_CM4_MPU/port.c b/portable/GCC/ARM_CM4_MPU/port.c index 79f5e76d5..5a3527157 100644 --- a/portable/GCC/ARM_CM4_MPU/port.c +++ b/portable/GCC/ARM_CM4_MPU/port.c @@ -59,9 +59,19 @@ #define portNVIC_SYSTICK_CLK ( 0 ) #endif +/* Unprivileged critical sections are not supported when using MPU wrappers + * version 2. Default the option to 0 and reject an explicit value of 1. */ #ifndef configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS - #warning "configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not defined. We recommend defining it to 0 in FreeRTOSConfig.h for better security." - #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS 1 + #if ( configUSE_MPU_WRAPPERS_V1 == 0 ) + #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS 0 + #else + #warning "configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not defined. We recommend defining it to 0 in FreeRTOSConfig.h for better security." + #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS 1 + #endif +#else + #if ( ( configUSE_MPU_WRAPPERS_V1 == 0 ) && ( configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS == 1 ) ) + #error configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not supported with MPU wrappers version 2 ( configUSE_MPU_WRAPPERS_V1 == 0 ). + #endif #endif /* Prototype of all Interrupt Service Routines (ISRs). */ diff --git a/portable/IAR/ARM_CM4F_MPU/port.c b/portable/IAR/ARM_CM4F_MPU/port.c index 720138f08..0441e0f0c 100644 --- a/portable/IAR/ARM_CM4F_MPU/port.c +++ b/portable/IAR/ARM_CM4F_MPU/port.c @@ -66,9 +66,19 @@ #define portNVIC_SYSTICK_CLK_BIT ( 0 ) #endif +/* Unprivileged critical sections are not supported when using MPU wrappers + * version 2. Default the option to 0 and reject an explicit value of 1. */ #ifndef configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS - #warning "configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not defined. We recommend defining it to 0 in FreeRTOSConfig.h for better security." - #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS 1 + #if ( configUSE_MPU_WRAPPERS_V1 == 0 ) + #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS 0 + #else + #warning "configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not defined. We recommend defining it to 0 in FreeRTOSConfig.h for better security." + #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS 1 + #endif +#else + #if ( ( configUSE_MPU_WRAPPERS_V1 == 0 ) && ( configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS == 1 ) ) + #error configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not supported with MPU wrappers version 2 ( configUSE_MPU_WRAPPERS_V1 == 0 ). + #endif #endif /* Prototype of all Interrupt Service Routines (ISRs). */ diff --git a/portable/RVDS/ARM_CM4_MPU/port.c b/portable/RVDS/ARM_CM4_MPU/port.c index 450b86211..8620325ca 100644 --- a/portable/RVDS/ARM_CM4_MPU/port.c +++ b/portable/RVDS/ARM_CM4_MPU/port.c @@ -48,9 +48,19 @@ #undef MPU_WRAPPERS_INCLUDED_FROM_API_FILE +/* Unprivileged critical sections are not supported when using MPU wrappers + * version 2. Default the option to 0 and reject an explicit value of 1. */ #ifndef configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS - #warning "configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not defined. We recommend defining it to 0 in FreeRTOSConfig.h for better security." - #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS 1 + #if ( configUSE_MPU_WRAPPERS_V1 == 0 ) + #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS 0 + #else + #warning "configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not defined. We recommend defining it to 0 in FreeRTOSConfig.h for better security." + #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS 1 + #endif +#else + #if ( ( configUSE_MPU_WRAPPERS_V1 == 0 ) && ( configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS == 1 ) ) + #error configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not supported with MPU wrappers version 2 ( configUSE_MPU_WRAPPERS_V1 == 0 ). + #endif #endif /* Prototype of all Interrupt Service Routines (ISRs). */ From e146d6444c3d80b60dc75735438dc6c21d533747 Mon Sep 17 00:00:00 2001 From: Srikanth Patchava Date: Mon, 15 Jun 2026 21:34:07 -0700 Subject: [PATCH 3/4] fix: TOCTOU race condition in vTaskListTasks() Read uxCurrentNumberOfTasks once into uxArraySize and use that local variable for both the size check and pvPortMalloc() call. The previous code read the volatile variable twice, allowing a task to be created between the reads, resulting in an undersized allocation that could cause a buffer overflow in uxTaskGetSystemState(). --- tasks.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks.c b/tasks.c index b0299d12b..461271fcf 100644 --- a/tasks.c +++ b/tasks.c @@ -7362,7 +7362,7 @@ STATIC void prvResetNextTaskUnblockTime( void ) /* MISRA Ref 11.5.1 [Malloc memory assignment] */ /* More details at: https://github.com/FreeRTOS/FreeRTOS-Kernel/blob/main/MISRA.md#rule-115 */ /* coverity[misra_c_2012_rule_11_5_violation] */ - pxTaskStatusArray = pvPortMalloc( uxCurrentNumberOfTasks * sizeof( TaskStatus_t ) ); + pxTaskStatusArray = pvPortMalloc( uxArraySize * sizeof( TaskStatus_t ) ); if( pxTaskStatusArray != NULL ) { @@ -7531,7 +7531,7 @@ STATIC void prvResetNextTaskUnblockTime( void ) /* MISRA Ref 11.5.1 [Malloc memory assignment] */ /* More details at: https://github.com/FreeRTOS/FreeRTOS-Kernel/blob/main/MISRA.md#rule-115 */ /* coverity[misra_c_2012_rule_11_5_violation] */ - pxTaskStatusArray = pvPortMalloc( uxCurrentNumberOfTasks * sizeof( TaskStatus_t ) ); + pxTaskStatusArray = pvPortMalloc( uxArraySize * sizeof( TaskStatus_t ) ); if( pxTaskStatusArray != NULL ) { From 49cec3e9b27e517ac5ea5db5482c59f937e6aea4 Mon Sep 17 00:00:00 2001 From: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Mon, 22 Jun 2026 14:52:21 -0700 Subject: [PATCH 4/4] docs: link FreeRTOS kernel threat model in SECURITY.md --- .github/SECURITY.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 1472c0c86..83ca1bbe8 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -1,3 +1,13 @@ +## Threat model + +Before reporting an issue, please review the FreeRTOS kernel threat model. It +describes the security assumptions the kernel makes, which threats are in scope, +and the protections the kernel does and does not provide. Understanding these +boundaries helps determine whether an observed behavior is a security +vulnerability or expected, documented behavior. + +- [FreeRTOS Kernel Threat Model](https://www.freertos.org/Security/02-Kernel-threat-model) + ## Reporting a Vulnerability If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security