rt-thread icon indicating copy to clipboard operation
rt-thread copied to clipboard
verified publisher icon RT-Thread

[Bug] Insufficient parameter validation vulnerability in the sockaddr_tolwip in Smart version of RT-Thread

Open x-codingman opened this issue 7 months ago • 0 comments

RT-Thread Version

v5.1.0

Hardware Type/Architectures

Not apply

Develop Toolchain

Other

Describe the bug

Summary

I have identified a vulnerability in the sys_sendto system call in the Smart version of RT-Thread v5.1.0. This vulnerability stems from insufficient pointer validation in the sockaddr_tolwip function, which is called by sys_sendto. The code only checks if the pointer is NULL but fails to verify whether the pointer points to valid memory. If exploited by a compromised user thread, this issue could lead to severe security consequences, including kernel crashes and potential unauthorized memory access.

Vulnerable Code Location

The vulnerability is present in the rt-thread/components/lwp/lwp_syscall.c file. The issue arises from the lack of proper validation of the to parameter pointer. The call graph of this vulnerability is as follows:

  1. rt-thread/components/lwp/lwp_syscall.csys_sendto(int socket, const void *dataptr, size_t size, int flags, const struct musl_sockaddr *to, socklen_t tolen)
  2. rt-thread/components/lwp/lwp_syscall.c void sockaddr_tolwip(const struct musl_sockaddr *std, struct sockaddr *lwip)
sysret_t sys_sendto(int socket, const void *dataptr, size_t size, int flags,
    const struct musl_sockaddr *to, socklen_t tolen)
{
    int flgs = 0;
#ifdef ARCH_MM_MMU
    int ret = -1;
    void *kmem = RT_NULL;
#endif

    flgs = netflags_muslc_2_lwip(flags);
#ifdef ARCH_MM_MMU
    //Omitted code
    if (to)
    {
        struct sockaddr sa;
        sockaddr_tolwip(to, &sa); // Vulnerability function

        ret = sendto(socket, kmem, size, flgs, &sa, tolen);
    }
    else
    {
        ret = sendto(socket, kmem, size, flgs, NULL, tolen);
    }

    //Omitted code
    return (ret < 0 ? GET_ERRNO() : ret);
#endif
}

static void sockaddr_tolwip(const struct musl_sockaddr *std, struct sockaddr *lwip)
{
    if (std && lwip)
    {
        lwip->sa_len = sizeof(*lwip);
        lwip->sa_family = (sa_family_t) std->sa_family; // Vulnerability: Only checks if std is NULL, but doesn't verify if it points to valid memory
        memcpy(lwip->sa_data, std->sa_data, sizeof(lwip->sa_data));
    }
}

Vulnerability Description

The vulnerability exists in the sockaddr_tolwip function's handling of the std parameter. The code only performs a NULL check on the std pointer but fails to verify whether the pointer points to valid memory. This oversight can lead to a memory fault when dereferencing an invalid pointer. The issue is particularly critical because:

  1. The to parameter is passed directly from user space to kernel space
  2. The code only checks if the pointer is NULL (if (std && lwip))
  3. No validation is performed to ensure the pointer points to valid memory before dereferencing it
  4. When accessing std->sa_family and std->sa_data, a memory fault will occur if the pointer points to invalid memory
  5. The memcpy operation could potentially copy data from invalid memory locations

Impact

This vulnerability has severe security implications:

  1. Kernel Crash: The most immediate impact is a potential kernel crash due to invalid memory access, leading to a Denial of Service (DoS) condition.
  2. Privilege Escalation: In certain scenarios, this vulnerability could potentially be exploited to access kernel memory, leading to privilege escalation.

Other additional context

No response

x-codingman avatar May 20 '25 05:05 x-codingman