79704b8213
It was possible for a third party that had already independently gained the ability to execute injected code to achieve further privilege escalation by branching directly inside a FreeRTOS MPU API wrapper function with a manually crafted stack frame. This commit removes the local stack variable `xRunningPrivileged` so that a manually crafted stack frame cannot be used for privilege escalation by branching directly inside a FreeRTOS MPU API wrapper. We thank Certibit Consulting, LLC, Huazhong University of Science and Technology and the SecLab team at Northeastern University for reporting this issue. Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com> |
||
|---|---|---|
| .. | ||
| 78K0R | ||
| ARM_CA5_No_GIC | ||
| ARM_CA9 | ||
| ARM_CM0 | ||
| ARM_CM3 | ||
| ARM_CM4F | ||
| ARM_CM4F_MPU | ||
| ARM_CM7 | ||
| ARM_CM23 | ||
| ARM_CM23_NTZ/non_secure | ||
| ARM_CM33 | ||
| ARM_CM33_NTZ/non_secure | ||
| ARM_CM55 | ||
| ARM_CM55_NTZ/non_secure | ||
| ARM_CM85 | ||
| ARM_CM85_NTZ/non_secure | ||
| ARM_CRx_No_GIC | ||
| ATMega323 | ||
| AtmelSAM7S64 | ||
| AtmelSAM9XE | ||
| AVR32_UC3 | ||
| AVR_AVRDx | ||
| AVR_Mega0 | ||
| LPC2000 | ||
| MSP430 | ||
| MSP430X | ||
| RISC-V | ||
| RL78 | ||
| RX100 | ||
| RX600 | ||
| RX700v3_DPFPU | ||
| RXv2 | ||
| STR71x | ||
| STR75x | ||
| STR91x | ||
| V850ES | ||