Skip to content

[Bug] Insufficient parameter validation in the syscall implementation in RT-Thread Smart #9877

New issue
New issue
Open
Open
[Bug] Insufficient parameter validation in the syscall implementation in RT-Thread Smart#9877
@x-codingman

Description

@x-codingman
x-codingman
opened on Jan 7, 2025

RT-Thread Version

v5.1.0

Hardware Type/Architectures

None

Develop Toolchain

GCC

Describe the bug

Basic Information

I am reporting a potential vulnerability that has been identified in the latest version of RT-Thread (i.e., v5.1.0). I am opening this issue for your review, as I could not find a reporting email in the security policy of this repository. Kindly let me know if you intend to request a CVE ID upon confirmation of the vulnerability. I am more than happy to provide additional details or clarification if needed.

Summary

A critical information leak vulnerability (CWE-200) has been identified in the RT-Thread system call implementations. This vulnerability allows an attacker to read sensitive memory data through an unvalidated char pointer.

Details

Vulnerable Code Location

The vulnerability resides in the rt-thread/components/lwp/lwp_syscall.c file.

rt_thread_t sys_thread_create(void *arg[])
{
    void *user_stack = 0;
    struct rt_lwp *lwp = 0;
    rt_thread_t thread = RT_NULL;
    int tid = 0;

    lwp = rt_thread_self()->lwp;
    lwp_ref_inc(lwp);
#ifdef ARCH_MM_MMU
    user_stack = lwp_map_user(lwp, 0, (size_t)arg[3], 0);
    if (!user_stack)
    {
        goto fail;
    }
    if ((tid = lwp_tid_get()) == 0)
    {
        goto fail;
    }
    thread = rt_thread_create((const char *)arg[0], // VUL: arg[0] (i.e., char * name) is not validated.
            _crt_thread_entry,
            (void *)arg[2],
            ALLOC_KERNEL_STACK_SIZE,
            (rt_uint8_t)(size_t)arg[4],
            (rt_uint32_t)(rt_size_t)arg[5]);
    if (!thread)
    {
        goto fail;
    }
    
    //omitted code
}

Vulnerability Description

When RT-Thread Smart is enabled, user and kernel spaces are isolated. However, insufficient parameter validation for arg[0], which represents the char * pointer, can lead to a potential information leak. Specifically, a malicious user thread could pass crafted parameters that cause this pointer to reference kernel memory, potentially exposing sensitive data.

Impact

This vulnerability results in an information leak, which could allow unauthorized access to sensitive kernel data.

Other additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions