RT-Thread Information Disclosure Vulnerability in System Call Parameter Handling
Vulnerability
An information disclosure vulnerability has been identified in RT-Thread versions through 5.1.0. The issue arises in the system call implementations within the file 'rt-thread/components/lwp/lwp_syscall.c'. Affected functions include 'sys_thread_create', 'sys_device_write', and several others related to synchronization, messaging, and timer management. The vulnerability stems from insufficient validation of pointer parameters, allowing a malicious user thread to manipulate arguments and access sensitive kernel memory, thereby leaking confidential information.
Impact
Exploitation of this vulnerability leads to unauthorized access to sensitive kernel data, breaking user-kernel isolation and potentially allowing privilege escalation.
Reproduction
The vulnerability can be reproduced by crafting a user thread that passes unvalidated pointer arguments to the affected system calls. This can be done by manipulating the 'arg[0]' parameter in 'sys_thread_create' or similar parameters in other syscalls that handle kernel object and buffer pointers.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.