rt-thread icon indicating copy to clipboard operation
rt-thread copied to clipboard
verified publisher icon RT-Thread

[Bug] Control Flow Hijacking Issue in sys_device_init Operation in RT-Thread

Open x-codingman opened this issue 6 months ago • 0 comments

RT-Thread Version

5.1.0

Hardware Type/Architectures

N/A

Develop Toolchain

Other

Describe the bug

Summary

I have identified a critical vulnerability in the sys_device_init system call in RT-Thread. I am opening this issue for your review, as I could not find a reporting email in the security policy of this repository. This vulnerability stems from insufficient pointer validation and could allow an attacker to achieve arbitrary code execution through control flow hijacking. The issue is particularly severe as it could be exploited by a compromised user thread to gain elevated privileges.

Vulnerable Code Location

The vulnerability is present in the following files:

  1. components/drivers/core/device.c: Contains the vulnerable macro definition and implementation
  2. components/lwp/lwp_syscall.c: Contains the system call implementation

Vulnerability Description

The vulnerability exists in the device_init macro and its usage:

#define device_init     (dev->ops ? dev->ops->init : RT_NULL)

In lwp_syscall.c:

sysret_t sys_device_init(rt_device_t dev)
{
    return rt_device_init(dev);
}

In rt_device_init:

if (device_init != RT_NULL)
{
    if (!(dev->flag & RT_DEVICE_FLAG_ACTIVATED))
    {
        result = device_init(dev);  // Vulnerable call
        if (result != RT_EOK)
        {
            LOG_E("To initialize device:%.*s failed. The error code is %d",
                  RT_NAME_MAX, dev->parent.name, result);
        }
        else
        {
            dev->flag |= RT_DEVICE_FLAG_ACTIVATED;
        }
    }
}

The code only performs a NULL check on the function pointer but fails to verify whether the pointer points to valid memory or a valid function. This oversight can lead to control flow hijacking when the function pointer is called.

Impact

This vulnerability has severe security implications:

  1. Arbitrary Code Execution: An attacker could potentially corrupt the dev->ops->init function pointer to point to arbitrary memory locations, leading to arbitrary code execution.

  2. Privilege Escalation: Since this vulnerability exists in the kernel space, successful exploitation could lead to privilege escalation.

  3. System Compromise: The ability to execute arbitrary code in kernel space could lead to complete system compromise.

Mitigation

  1. Implement proper validation of function pointers before calling them
  2. Add additional checks to verify the integrity of the device structure
  3. Consider implementing Control Flow Integrity (CFI) mechanisms
  4. Add bounds checking for pointer dereferencing

References

  1. RT-Thread source code: components/drivers/core/device.c
  2. RT-Thread source code: components/lwp/lwp_syscall.c

Other additional context

No response

x-codingman avatar Jun 12 '25 04:06 x-codingman