RT-Thread Array Index Vulnerability in Signal Management System Call

A critical vulnerability exists in RT-Thread version 5.1.0 within the `sys_thread_sigprocmask` function of the file `lwp_syscall.c`. The issue arises from inadequate validation of the `how` parameter, which is used as an array index. This lack of proper bounds checking can lead to out-of-bounds array access, potentially causing kernel crashes and unauthorized memory access.

Impact

Exploitation of this vulnerability can result in a kernel crash, creating a denial-of-service condition. Additionally, it could allow a compromised user thread to access kernel memory, leading to privilege escalation.

Reproduction

The vulnerability can be reproduced by manipulating the `how` parameter in the `sys_thread_sigprocmask` system call. The parameter is passed from user space to kernel space without proper validation, allowing for out-of-bounds access to the `mask_command_u2k` array. This can be done by crafting a user thread that calls `sys_thread_sigprocmask` with an invalid `how` value that exceeds the array bounds.