RT-Thread Memory Corruption Vulnerability in Device Driver Functions

A critical memory corruption vulnerability has been identified in RT-Thread versions prior to 5.1.0. The issue arises in the device driver core functions, specifically 'sys_device_open', 'sys_device_read', 'sys_device_control', 'sys_device_init', 'sys_device_close', and 'sys_device_write', all located in 'components/drivers/core/device.c'. This vulnerability is caused by insufficient validation of function pointers, which could be exploited to hijack control flow and execute arbitrary code. The vulnerability can be exploited locally, potentially leading to elevated privileges and complete system compromise.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in kernel space, with severe consequences such as privilege escalation and complete system compromise.

Reproduction

The vulnerability can be reproduced by calling the 'sys_device_open', 'sys_device_read', 'sys_device_control', 'sys_device_init', 'sys_device_close', or 'sys_device_write' system calls with a device that has an improperly validated function pointer. The lack of proper validation allows the function pointer to be corrupted, leading to control flow hijacking and arbitrary code execution.