rt-thread icon indicating copy to clipboard operation
rt-thread copied to clipboard
verified publisher icon RT-Thread

[Bug] Insufficient parameter validation vulnerability in the sys_recvfrom in Smart version of RT-Thread

Open x-codingman opened this issue 7 months ago • 0 comments

RT-Thread Version

v5.1.0

Hardware Type/Architectures

Not Apply

Develop Toolchain

Other

Describe the bug

Summary

I have identified a critical privilege escalation vulnerability in the sys_recvfrom system call in RT-Thread v5.1.0. This vulnerability stems from insufficient validation of the from parameter pointer in the sockaddr_tomusl function. An attacker can control this pointer to write to arbitrary kernel memory locations, potentially leading to privilege escalation and system compromise.

Vulnerable Code Location

The vulnerability is present in the rt-thread/components/lwp/lwp_syscall.c file. The issue arises from the lack of proper validation of the from parameter pointer before writing to it. The call graph of this vulnerability is as follows:

rt-thread/components/lwp/lwp_syscall.c: sys_recvfrom(int socket, void *mem, size_t len, int flags, struct musl_sockaddr *from, socklen_t *fromlen)

rt-thread/components/lwp/lwp_syscall.c: static void sockaddr_tomusl(const struct sockaddr *lwip, struct musl_sockaddr *std)

sysret_t sys_recvfrom(int socket, void *mem, size_t len, int flags,
      struct musl_sockaddr *from, socklen_t *fromlen)
{

   // Omitted code
    if (from)
    {
        struct sockaddr sa;

        ret = recvfrom(socket, kmem, len, flgs, &sa, fromlen);
        sockaddr_tomusl(&sa, from);
    }
    else
    {
        ret = recvfrom(socket, kmem, len, flgs, NULL, NULL);
    }
    // Omitted code
}

static void sockaddr_tomusl(const struct sockaddr *lwip, struct musl_sockaddr *std)
    {
        if (std && lwip)
        {
            std->sa_family = (uint16_t) lwip->sa_family;
            memcpy(std->sa_data, lwip->sa_data, sizeof(std->sa_data)); //Unauthorized memory write possible if std points to kernel memory or sensitive memory.
        }
    }

Vulnerability Description

The vulnerability exists in the sockaddr_tomusl function's handling of the std parameter. The code only performs a NULL check on the std pointer but fails to verify whether the pointer points to valid user-space memory. This oversight allows an attacker to write to arbitrary memory locations, including kernel memory. The issue is particularly critical because:

  1. The from parameter is passed directly from user space to kernel space

  2. The code only checks if the pointer is NULL (if (std && lwip))

  3. No validation is performed to ensure the pointer points to valid user-space memory

  4. The memcpy operation can write to any memory location specified by the attacker

  5. An attacker can control the from pointer to write to:

    • Kernel memory

    • Other processes' memory

    • System-critical memory regions

Impact

  1. This vulnerability has severe security implications:

    Kernel Memory Write: The most critical impact is the ability to write to kernel memory, which could lead to:

    • System crash

    • Data corruption

Other additional context

No response

x-codingman avatar May 20 '25 06:05 x-codingman