CVE-2021-43997

Vulnerability

FreeRTOS versions 10.2.0 through 10.4.5 for ARMv7-M and ARMv8-M MPU ports (with configENABLE_MPU set to 1) allow non-kernel code to call the internal function xPortRaisePrivilege to raise privilege [3]. Additionally, versions up to 10.4.6 do not prevent a third party that has already gained code execution from escalating further by branching directly inside an MPU API wrapper function with a manually crafted stack frame [1][2]. Other issues include passing negative xIndex to pvTaskGetThreadLocalStoragePointer or vTaskSetThreadLocalStoragePointer for arbitrary read/write, and unprivileged tasks invoking any function with privilege via MPU_xTaskCreate, MPU_xTimerCreate, etc. [1]. The attack surface covers ARMv7-M MPU ports and ARMv8-M ports with MPU enabled [1][3].

Exploitation

An attacker must first have the ability to execute arbitrary code in an unprivileged context, for example via another vulnerability. No additional authentication or user interaction is required beyond that initial code execution. The attacker can then either directly call xPortRaisePrivilege (on versions before 10.4.6) or craft a stack frame to branch into an MPU API wrapper, bypassing privilege checks [1][2]. In the case of the pvTaskGetThreadLocalStoragePointer / vTaskSetThreadLocalStoragePointer flaw, a negative xIndex argument causes out-of-bounds access [1]. For MPU_xTaskCreate etc., the attacker passes a privileged function pointer as a parameter [1].

Impact

Successful exploitation allows privilege escalation from an unprivileged task to privileged mode on the MPU-protected system. This can lead to arbitrary read/write of kernel memory, execution of privileged functions, and full compromise of the operating system kernel [1][2][3]. The attacker may also achieve further code execution and data exfiltration.

Mitigation

Fixed in FreeRTOS V10.5.0 (released November 2021) and V10.4.3-LTS Patch 3 (released September 2022) [1][2]. Users should update to these or later versions. For versions 10.4.6 and later, the configuration configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS can be set to 0 to disable critical sections from unprivileged tasks, reducing risk [3]. No other workarounds are available; upgrading is recommended.