rt-thread icon indicating copy to clipboard operation
rt-thread copied to clipboard
verified publisher icon RT-Thread

[Bug] Control Flow Hijacking Issue in sys_device_control Operation in RT-Thread

Open x-codingman opened this issue 6 months ago • 0 comments

RT-Thread Version

5.1.0

Hardware Type/Architectures

N/A

Develop Toolchain

Other

Describe the bug

Control Flow Hijacking Vulnerability in sys_device_control Operation in RT-Thread

Summary

I have identified a critical vulnerability in the sys_device_control system call in RT-Thread. I am opening this issue for your review, as I could not find a reporting email in the security policy of this repository. This vulnerability stems from insufficient pointer validation and could allow an attacker to achieve arbitrary code execution through control flow hijacking. The issue is particularly severe as it could be exploited by a compromised user thread to gain elevated privileges.

Vulnerable Code Location

The vulnerability is present in the following files:

  1. components/drivers/core/device.c: Contains the vulnerable macro definition and implementation
  2. components/lwp/lwp_syscall.c: Contains the system call implementation

Vulnerability Description

The vulnerability exists in the device_control macro and its usage:

#define device_control  (dev->ops ? dev->ops->control : RT_NULL)

In lwp_syscall.c:

sysret_t sys_device_control(rt_device_t dev, int cmd, void *arg)
{
    return rt_device_control(dev, cmd, arg);
}

In rt_device_control:

rt_err_t rt_device_control(rt_device_t dev, int cmd, void *arg)
{
    /* parameter check */
    RT_ASSERT(dev != RT_NULL);
    RT_ASSERT(rt_object_get_type(&dev->parent) == RT_Object_Class_Device);

    /* call device_write interface */
    if (device_control != RT_NULL)
    {
        return device_control(dev, cmd, arg); //Vulnerability here
    }

    return -RT_ENOSYS;
}

The code only performs a NULL check on the function pointer but fails to verify whether the pointer points to valid memory or a valid function. This oversight can lead to control flow hijacking when the function pointer is called.

Impact

This vulnerability has severe security implications:

  1. Arbitrary Code Execution: An attacker could potentially corrupt the dev->ops->control function pointer to point to arbitrary memory locations, leading to arbitrary code execution.

  2. Privilege Escalation: Since this vulnerability exists in the kernel space, successful exploitation could lead to privilege escalation.

  3. System Compromise: The ability to execute arbitrary code in kernel space could lead to complete system compromise, including:

    • Bypassing security mechanisms
    • Accessing sensitive data
    • Installing persistent malware
    • Disabling security features

Mitigation

  1. Implement proper validation of function pointers before calling them
  2. Add additional checks to verify the integrity of the device structure
  3. Consider implementing Control Flow Integrity (CFI) mechanisms
  4. Add bounds checking for pointer dereferencing

References

  1. RT-Thread source code: components/drivers/core/device.c
  2. RT-Thread source code: components/lwp/lwp_syscall.c

Other additional context

No response

x-codingman avatar Jun 12 '25 04:06 x-codingman