| Kura | RT-Thread 5.1.0 Code Injection |
|---|
| Gaskiya | # Control Flow Hijacking Vulnerability in sys_device_open Syscall in RT-Thread
## Summary
I have identified a critical vulnerability in the `sys_device_open` system call in RT-Thread. This vulnerability stems from insufficient pointer validation and could allow an attacker to achieve arbitrary code execution through control flow hijacking. The issue is particularly severe as it could be exploited by a compromised user thread to gain elevated privileges.
## Vulnerable Code Location
The vulnerability is present in the following files:
1. `components/drivers/core/device.c`: Contains the vulnerable macro definition and implementation
2. `components/lwp/lwp_syscall.c`: Contains the system call implementation
## Vulnerability Description
The vulnerability exists in the `device_open` macro and its usage:
```c
#define device_open (dev->ops ? dev->ops->open : RT_NULL)
```
In `lwp_syscall.c`:
```c
sysret_t sys_device_open(rt_device_t dev, rt_uint16_t oflag)
{
return rt_device_open(dev, oflag);
}
```
In `rt_device_open`:
```c
//Omitted code
if (!(dev->open_flag & RT_DEVICE_OFLAG_OPEN) ||
((dev->open_flag & RT_DEVICE_OFLAG_MASK) != ((oflag & RT_DEVICE_OFLAG_MASK) | RT_DEVICE_OFLAG_OPEN)))
{
if (device_open != RT_NULL)
{
result = device_open(dev, oflag); // Vulnerability here
}
else
{
/* set open flag */
dev->open_flag = (oflag & RT_DEVICE_OFLAG_MASK);
}
}
//Omitted code
```
The code only performs a NULL check on the function pointer but fails to verify whether the pointer points to valid memory or a valid function. This oversight can lead to control flow hijacking when the function pointer is called.
## Impact
This vulnerability has severe security implications:
1. **Arbitrary Code Execution**: An attacker could potentially corrupt the `dev->ops->open` function pointer to point to arbitrary memory locations, leading to arbitrary code execution.
2. **Privilege Escalation**: Since this vulnerability exists in the kernel space, successful exploitation could lead to privilege escalation.
3. **System Compromise**: The ability to execute arbitrary code in kernel space could lead to complete system compromise.
## Mitigation
1. Implement proper validation of function pointers before calling them
2. Add additional checks to verify the integrity of the device structure
3. Consider implementing Control Flow Integrity (CFI) mechanisms
4. Add bounds checking for pointer dereferencing
## References
1. RT-Thread source code: `components/drivers/core/device.c`
2. RT-Thread source code: `components/lwp/lwp_syscall.c`
3. https://github.com/RT-Thread/rt-thread
|
|---|
| Màdùmga | Zephyr Saxon (UID 80853) |
|---|
| Furta | 06/12/2025 05:48 (8 Wurɗi 전) |
|---|
| Gargajiya | 06/26/2025 09:11 (14 days later) |
|---|
| Halitta | Shingilam |
|---|
| VulDB gite | 313959 [RT-Thread har 5.1.0 device.c Pufferüberlauf] |
|---|
| Nganji | 17 |
|---|