Remove local stack variable form MPU wrappers

It was possible for a third party that had already independently gained the ability to execute injected code to achieve further privilege escalation by branching directly inside a FreeRTOS MPU API wrapper function with a manually crafted stack frame. This commit removes the local stack variable `xRunningPrivileged` so that a manually crafted stack frame cannot be used for privilege escalation by branching directly inside a FreeRTOS MPU API wrapper. We thank Certibit Consulting, LLC, Huazhong University of Science and Technology and the SecLab team at Northeastern University for reporting this issue. Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
Erlkoenig90 · Sep 16, 2022 · 79704b8 · 79704b8
1 parent c2d616e
commit 79704b8
Show file tree

Hide file tree

Showing 7 changed files with 1,693 additions and 490 deletions.
diff --git a/.github/lexicon.txt b/.github/lexicon.txt
@@ -2547,7 +2547,6 @@ vportgetheapstats
 vportinitialiseblocks
 vportisrstartfirststask
 vportraisebasepri
-vportresetprivilege
 vportsetmpuregistersetone
 vportsetuptimerinterrupt
 vportstartfirststask
@@ -2872,7 +2871,6 @@ xperiod
 xportgetcoreid
 xportgetfreeheapsize
 xportinstallinterrupthandler
-xportraiseprivilege
 xportregistercinterrupthandler
 xportregisterdump
 xportstartfirsttask

diff --git a/include/mpu_wrappers.h b/include/mpu_wrappers.h
@@ -173,36 +173,6 @@
         #define PRIVILEGED_DATA         __attribute__( ( section( "privileged_data" ) ) )
         #define FREERTOS_SYSTEM_CALL    __attribute__( ( section( "freertos_system_calls" ) ) )
 
-/**
- * @brief Calls the port specific code to raise the privilege.
- *
- * Sets xRunningPrivileged to pdFALSE if privilege was raised, else sets
- * it to pdTRUE.
- */
-        #define xPortRaisePrivilege( xRunningPrivileged )                  \
-    {                                                                      \
-        /* Check whether the processor is already privileged. */           \
-        ( xRunningPrivileged ) = portIS_PRIVILEGED();                      \
-                                                                           \
-        /* If the processor is not already privileged, raise privilege. */ \
-        if( ( xRunningPrivileged ) == pdFALSE )                            \
-        {                                                                  \
-            portRAISE_PRIVILEGE();                                         \
-        }                                                                  \
-    }
-
-/**
- * @brief If xRunningPrivileged is not pdTRUE, calls the port specific
- * code to reset the privilege, otherwise does nothing.
- */
-        #define vPortResetPrivilege( xRunningPrivileged ) \
-    {                                                     \
-        if( ( xRunningPrivileged ) == pdFALSE )           \
-        {                                                 \
-            portRESET_PRIVILEGE();                        \
-        }                                                 \
-    }
-
     #endif /* MPU_WRAPPERS_INCLUDED_FROM_API_FILE */
 
 #else /* portUSING_MPU_WRAPPERS */