RT-Thread
[Bug] Insufficient parameter validation vulnerability in the sys_thread_sigprocmask system call in Smart version of RT-Thread
RT-Thread Version
v5.1.0
Hardware Type/Architectures
Not apply
Develop Toolchain
Other
Describe the bug
Summary
I have identified a vulnerability in the sys_thread_sigprocmask system call in RT-Thread v5.1.0. I am opening this issue for your review, as I could not find a reporting email in the security policy of this repository. This vulnerability stems from insufficient validation of the how parameter, which is used as an array index without proper bounds checking. If exploited by a compromised user thread, this issue could lead to severe security consequences, including kernel crashes and potential unauthorized memory access.
Vulnerable Code Location
The vulnerability is present in the rt-thread/components/lwp/lwp_syscall.c file. The issue arises from the lack of proper validation of the how parameter before using it as an array index. The location of this vulnerability is as follows:
rt-thread/components/lwp/lwp_syscall.c: sys_thread_sigprocmask(int how, const lwp_sigset_t *sigset, lwp_sigset_t *oset, size_t size)
sysret_t sys_thread_sigprocmask(int how, const lwp_sigset_t *sigset, lwp_sigset_t *oset, size_t size)
{
int ret = -1;
lwp_sigset_t *pnewset = RT_NULL, *poldset = RT_NULL;
#ifdef ARCH_MM_MMU
lwp_sigset_t newset, oldset;
#endif /* ARCH_MM_MMU */
if (!size)
{
return -EINVAL;
}
if (!oset && !sigset)
{
return -EINVAL;
}
if (size != sizeof(lwp_sigset_t))
{
return -EINVAL;
}
if (oset)
{
#ifdef ARCH_MM_MMU
if (!lwp_user_accessable((void *)oset, size))
{
return -EFAULT;
}
poldset = &oldset;
#else
if (!lwp_user_accessable((void *)oset, size))
{
return -EFAULT;
}
poldset = oset;
#endif
}
if (sigset)
{
#ifdef ARCH_MM_MMU
if (!lwp_user_accessable((void *)sigset, size))
{
return -EFAULT;
}
lwp_get_from_user(&newset, (void *)sigset, sizeof(lwp_sigset_t));
pnewset = &newset;
#else
if (!lwp_user_accessable((void *)sigset, size))
{
return -EFAULT;
}
pnewset = (lwp_sigset_t *)sigset;
#endif
}
ret = lwp_thread_signal_mask(rt_thread_self(), mask_command_u2k[how], pnewset, poldset); //Vulnerability: how parameter is not validated before being used as an array index.
if (ret < 0)
{
return ret;
}
#ifdef ARCH_MM_MMU
if (oset)
{
lwp_put_to_user(oset, poldset, sizeof(lwp_sigset_t));
}
#endif
return (ret < 0 ? -EFAULT: ret);
}
Vulnerability Description
The vulnerability exists in the sys_thread_sigprocmask function's handling of the how parameter. The code uses how as an index into the mask_command_u2k array without validating its bounds. This oversight can lead to an out-of-bounds array access. The issue is particularly critical because:
-
The how parameter is passed directly from user space to kernel space
-
No validation is performed to ensure how is within the valid range of mask_command_u2k array
-
The value is used directly as an array index: mask_command_u2k[how]
-
This could lead to accessing memory outside the array bounds
-
The function performs proper validation for other parameters (size, pointers) but fails to validate the how parameter
Impact
This vulnerability has severe security implications:
-
Kernel Crash: The most immediate impact is a potential kernel crash due to out-of-bounds memory access, leading to a Denial of Service (DoS) condition.
-
Privilege Escalation: In certain scenarios, this vulnerability could potentially be exploited to access kernel memory, leading to privilege escalation.
Other additional context
No response
