rt-thread icon indicating copy to clipboard operation
rt-thread copied to clipboard
verified publisher icon RT-Thread

[Bug] Control Flow Hijacking Issue in sys_device_write Operation in RT-Thread

Open x-codingman opened this issue 6 months ago • 0 comments

RT-Thread Version

5.1.0

Hardware Type/Architectures

N/A

Develop Toolchain

Other

Describe the bug

Summary

I have identified a critical vulnerability in the sys_device_write system call in RT-Thread. I am opening this issue for your review, as I could not find a reporting email in the security policy of this repository. This vulnerability stems from insufficient pointer validation and could allow an attacker to achieve arbitrary code execution through control flow hijacking. The issue is particularly severe as it could be exploited by a compromised user thread to gain elevated privileges.

Vulnerable Code Location

The vulnerability is present in the following files:

  1. components/drivers/core/device.c: Contains the vulnerable macro definition and implementation
  2. components/lwp/lwp_syscall.c: Contains the system call implementation

Vulnerability Description

The vulnerability exists in the device_write macro and its usage:

#define device_write    (dev->ops ? dev->ops->write : RT_NULL)

In lwp_syscall.c:

rt_ssize_t sys_device_write(rt_device_t dev, rt_off_t pos, const void *buffer, rt_size_t size)
{
    return rt_device_write(dev, pos, buffer, size);
}

In rt_device_write:

rt_ssize_t rt_device_write(rt_device_t dev,
                          rt_off_t    pos,
                          const void *buffer,
                          rt_size_t   size)
{
    /* parameter check */
    RT_ASSERT(dev != RT_NULL);
    RT_ASSERT(rt_object_get_type(&dev->parent) == RT_Object_Class_Device);

    if (dev->ref_count == 0)
    {
        rt_set_errno(-RT_ERROR);
        return 0;
    }

    /* call device_write interface */
    if (device_write != RT_NULL)
    {
        return device_write(dev, pos, buffer, size); //Vulnerability here
    }

    /* set error code */
    rt_set_errno(-RT_ENOSYS);

    return 0;
}

The code only performs a NULL check on the function pointer but fails to verify whether the pointer points to valid memory or a valid function. This oversight can lead to control flow hijacking when the function pointer is called.

Impact

This vulnerability has severe security implications:

  1. Arbitrary Code Execution: An attacker could potentially corrupt the dev->ops->write function pointer to point to arbitrary memory locations, leading to arbitrary code execution.

  2. Privilege Escalation: Since this vulnerability exists in the kernel space, successful exploitation could lead to privilege escalation.

  3. System Compromise: The ability to execute arbitrary code in kernel space could lead to complete system compromise, including:

    • Bypassing security mechanisms
    • Accessing sensitive data
    • Installing persistent malware
    • Disabling security features

Mitigation

  1. Implement proper validation of function pointers before calling them
  2. Add additional checks to verify the integrity of the device structure
  3. Consider implementing Control Flow Integrity (CFI) mechanisms
  4. Add bounds checking for pointer dereferencing

References

  1. RT-Thread source code: components/drivers/core/device.c
  2. RT-Thread source code: components/lwp/lwp_syscall.c

Other additional context

No response

x-codingman avatar Jun 12 '25 04:06 x-codingman