-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pend() assertion can allow user threads to crash the kernel #22999
Comments
@nordic-krch according to |
This assertion, if built in, allows users threads to crash the kernel in a critical section by passing a negative timeout value, creating a DoS attack vector. Remove this assertion, immediately below it there's a check which just resets it to 0 anyway. Fixes: zephyrproject-rtos#22999 Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
@andrewboie it's been discussed #19591 when conversion functions changed signing and was giving different results than before for negative numbers. Because of that behavior changed when negative number was provided. Assert was added to detect cases when negative number is used and fix them. We can remove assert but then we will not detect misuse and api states:
|
The override of an invalid timeout to a timeout with defined behavior is there specifically to avoid unspecified behavior (probably a sleep for a very long time) when assertions are disabled, and was added because doing runtime validation of the parameter was rejected during review as being too expensive. I'm ok with any of the proposed solutions. The one with least impact on existing behavior and code is deleting the assertion. I suspect the functional safety approved solution would be to validate the inputs at the system calls. |
This assertion, if built in, allows users threads to crash the kernel in a critical section by passing a negative timeout value, creating a DoS attack vector. Remove this assertion, immediately below it there's a check which just resets it to 0 anyway. Fixes: #22999 Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Describe the bug
There's an assertion deep in the kernel scheduling code which, when a thread is being pended on a wait queue, to raise an assertion of the timeout is negative and not equal to 0. For some reason, this is immediately followed by a runtime check to just set timeout to 0 if assertions aren't built in.
Unfortunately, this assertion is problematic, as any system call with a timeout parameter can cause the kernel to fail this assertion. A user thread can make a call like
k_sem_take(&sem, -2)
and cause a crash in kernel mode. This is particularly bad because callers ofpend()
are either holding some kind of spinlock or have locked interrupts; a kernel crash in a critical section is an unrecoverable condition.User threads making system calls are not allowed to ever cause the kernel to fail an assertion or otherwise trigger a kernel panic due to the risk of kernel corruption beyond the scope of the calling thread. Fatal errors in system calls are only permitted in a controlled fashion using Z_OOPS() in syscall verification functions.
I can conceive of three ways of addressing this:
To Reproduce
The text was updated successfully, but these errors were encountered: