It was possible for an unprivileged task to invoke any function with
privilege by passing it as a parameter to MPU_xTaskCreate,
MPU_xTaskCreateStatic, MPU_xTimerCreate, MPU_xTimerCreateStatic, or
MPU_xTimerPendFunctionCall.
This commit ensures that MPU_xTaskCreate and MPU_xTaskCreateStatic can
only create unprivileged tasks. It also removes the following APIs:
1. MPU_xTimerCreate
2. MPU_xTimerCreateStatic
3. MPU_xTimerPendFunctionCall
We thank Huazhong University of Science and Technology for reporting
this issue.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
It was possible for a third party that had already independently gained
the ability to execute injected code to achieve further privilege
escalation by branching directly inside a FreeRTOS MPU API wrapper
function with a manually crafted stack frame. This commit removes the
local stack variable `xRunningPrivileged` so that a manually crafted
stack frame cannot be used for privilege escalation by branching
directly inside a FreeRTOS MPU API wrapper.
We thank Certibit Consulting, LLC, Huazhong University of Science and
Technology and the SecLab team at Northeastern University for reporting
this issue.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
ARMv7-M allows overlapping MPU regions. When 2 MPU regions overlap, the
MPU configuration of the higher numbered MPU region is applied. For
example, if a memory area is covered by 2 MPU regions 0 and 1, the
memory permissions for MPU region 1 are applied.
We use 5 MPU regions for kernel code and kernel data protections and
leave the remaining for the application writer. We were using lowest
numbered MPU regions (0-4) for kernel protections and leaving the
remaining for the application writer. The application writer could
configure those higher numbered MPU regions to override kernel
protections.
This commit changes the code to use highest numbered MPU regions for
kernel protections and leave the remaining for the application writer.
This ensures that the application writer cannot override kernel
protections.
We thank the SecLab team at Northeastern University for reporting this
issue.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
This allows the application write to set FREERTOS_CONFIG_FILE_DIRECTORY
to whichever directory the FreeRTOSConfig.h file exists in.
This was reported here - https://github.com/FreeRTOS/FreeRTOS-Kernel/issues/545
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
When the heap is exhausted (no free block), start and end markers are
the only blocks present in the free block list:
+---------------+ +-----------> NULL
| | |
| V |
+ ----- + + ----- +
| | | | | |
| | | | | |
+ ----- + + ----- +
xStart pxEnd
The code block which traverses the list of free blocks to calculate heap
stats used a do..while loop that moved past the end marker when the heap
had no free block resulting in a NULL pointer dereference. This commit
changes the do..while loop to while loop thereby ensuring that we never
move past the end marker.
This was reported here - https://github.com/FreeRTOS/FreeRTOS-Kernel/issues/534
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Add xPortRemoveInterruptHandler API
This API is added to the MicroBlazeV9 port. It enables the application
writer to remove an interrupt handler.
This was originally contributed in this PR - https://github.com/FreeRTOS/FreeRTOS-Kernel/pull/523
* Change API signature to return void
This makes the API similar to vPortDisableInterrupt.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
Co-authored-by: Gavin Lambert <uecasm@users.noreply.github.com>
* Clarify Cortex M7 r0p1 errata number in r0p1 specific port.
* Add ARM Cortex M7 r0p0 / r0p1 Errata 837070 workaround to CM4 MPU ports.
Optionally, enable the errata workaround by defining configTARGET_ARM_CM7_r0p0 or configTARGET_ARM_CM7_r0p1 in FreeRTOSConfig.h.
* Add r0p1 errata support to IAR port as well
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Change macro name to configENABLE_ERRATA_837070_WORKAROUND
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
Co-authored-by: Gaurav Aggarwal <aggarg@amazon.com>
After the xEventGroupWaitBits in vProtLockInternalSpinUnlockWithWait there was an assertion about
pxYiledSpinLock being NULL, however when xEventGroupWaitBits returns, IRQs have been re-enabled
and so it is no longer safe to assert on the state which is protected by IRQs being disabled.
Co-authored-by: graham sanderson <graham.sanderson@raspeberryi.com>
* Let each stream/message can use its own sbSEND_COMPLETED
In FreeRTOS.h, set the default value of configUSE_SB_COMPLETED_CALLBACK
to zero, and add additional space for the function pointer when
the buffer created statically.
In stream_buffer.c, modify the macro of sbSEND_COMPLETED which let
the stream buffer to use its own implementation, and then add an
pointer to the stream buffer's structure, and modify the
implementation of the buffer creating and initializing
Co-authored-by: eddie9712 <qw1562435@gmail.com>
* Add supposrt for ARM CM55
* Fix file header
* Remove duplicate code
* Refactor portmacro.h
1. portmacro.h is re-factored into 2 parts - portmacrocommon.h which is
common to all ARMv8-M ports and portmacro.h which is different for
different compiler and architecture. This enables us to provide
Cortex-M55 ports without code duplication.
2. Update copy_files.py so that it copies Cortex-M55 ports correctly -
all files except portmacro.h are used from Cortex-M33 ports.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
Co-authored-by: Gaurav Aggarwal <aggarg@amazon.com>
vApplicationMallocFailedHook was declared in each Heap file. which forces users to declare it and can cause problems if the prototype of the function changes.
Co-authored-by: Pierre-Noel Bouteville <pnb990@gmail.com>
This is needed to support the case when SysTick timer is not clocked
from the same source as CPU. This support already exists in other
Cortex-M ports.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Add a guard around mpu_wrappers.c
This avoid linker errors when this file is accidently compiled in
projects using non-MPU ports.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Fix formatting check
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
Update the size calculations such that we only need to check for add
overflow only once. Also, change the way we detect add overflow so that
we do not need to cause an overflow to detect an overflow.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
We use the MSB of the size member of a BlockLink_t to track whether not
a block is allocated. Consequently, the size must not be so large that
the MSB is set. The check to see if the MSB in the size is set needs to
be done after the final size (metadata + alignment) is calculated.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Heap improvements
This commit makes the following improvements:
1. Add a check to heap_2 to track if a memory block is allocated to the
application or not. The MSB of the size field is used for this
purpose. The same check already exists in heap_4 and heap_5. This
check prevents against double free.
2. Add a new flag configHEAP_CLEAR_MEMORY_ON_FREE to heap_2, heap_4 and
heap_5. The application writer can set it to 1 in their
FreeRTOSConfig.h to ensure that a block of memory allocated using
pvPortMalloc is cleared (i.e. set to zero) when it is freed using
vPortFree. If left undefined, configHEAP_CLEAR_MEMORY_ON_FREE
defaults to 0 for backward compatibility. We recommend setting
configHEAP_CLEAR_MEMORY_ON_FREE to 1 for better security.
3. Add a new API pvPortCalloc to heap_2, heap_4 and heap_5. This API
has the following signature:
void * pvPortCalloc( size_t xNum, size_t xSize );
It allocates memory for an array of xNum objects each of which is of
xSize and initializes all bytes in the allocated storage to zero. If
allocation succeeds, it returns a pointer to the lowest byte in the
allocated memory block. On failure, it returns a null pointer.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Add support for 16 MPU regions to GCC Cortex-M33 TZ port
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Add support for 16 MPU regions to Cortex-M33 NTZ GCC port
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
The configuration was updated using
uncrustify -c .github/uncrustify.cfg -o .github/uncrustify.cfg --update-config-with-doc
to align with the actually used uncrustify version used, i.e., all
configuration is now explicitly set (and no longer implicit).
The files that are common to all ports ("portable/MemMang*" and
"portable/Common/mpu_wrappers.c" are now also autoformatted.
Co-authored-by: alfred gedeon <28123637+alfred2g@users.noreply.github.com>
* Add CMake build
Allows to build and link FreeRTOS using CMake build system.
From top-level project it looks like this:
set(FREERTOS_PORT_GCC_ARM_CM4F ON)
set(FREERTOS_CONFIG_FILE_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR} CACHE STRING "")
add_subdirectory(third_party/FreeRTOS-Kernel)
Where FREERTOS_PORT_GCC_ARM_CM4F is FreeRTOS port name.
freertos is target name, which can be used in target_link_libraries()
* Add feature to set custom heap source file
Example how to set it from top-level project:
set(FREERTOS_HEAP ${CMAKE_CURRENT_LIST_DIR}/path_to/my_heap.c CACHE STRING "")
* Set cmake_minimum_required to 3.15
* Fail build when FREERTOS_CONFIG_FILE_DIRECTORY not set
* Rename library to freertos_kernel
* Rework FREERTOS_PORT option to act as combobox
* Use freertos_kernel_port cmake target
* Split port sources multiline
Co-authored-by: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com>
Co-authored-by: Paul Bartell <pbartell@amazon.com>
