You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nuttx.apache.org by GitBox <gi...@apache.org> on 2021/04/05 16:55:43 UTC
[GitHub] [incubator-nuttx] v01d opened a new issue #3359: SIGNAL ACTION VULNERABILITY
v01d opened a new issue #3359:
URL: https://github.com/apache/incubator-nuttx/issues/3359
```
Description: When a signal action is performed, the user stack is used.
Unlike Linux, applications do not have separate user and
supervisor stacks; everything is done on the user stack.
In the implementation of up_sigdeliver(), a copy of the
register contents that will be restored is present on the
stack and could be modified by the user application. Thus,
if the user mucks with the return stack, problems could
occur when the user task returns to supervisor mode from
the the signal handler.
A recent commit (3 Feb 2019) does protect the status register
and return address so that a malicious task cannot change the
return address or switch to supervisor mode. Other register
are still modifiable so there is other possible mayhem that
could be done.
A better solution, in lieu of a kernel stack, would be to
eliminate the stack-based register save area altogether and,
instead, save the registers in another, dedicated state save
area in the TCB. The only hesitation to this option is that
it would significantly increase the size of the TCB structure
and, hence, the per-thread memory overhead.
Status: Open
Priority: Medium-ish if are attempting to make a secure environment that
may host malicious code. Very low for the typical FLAT build,
however.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org