Dear MacTavish, I'm redirecting your question to nuttx dev mailing list, that mailing you used is for PMC usage purpose:
Dear NuttX Maintainers, I hope you’re doing well. I’m reaching out to gather your perspective on a hypothetical scenario concerning pointer‐validation in NuttX’s protect mode. *Scenario Description (hypothetical):* In protect mode, NuttX is designed to separate user-space and kernel-space. Suppose certain system calls did not perform full validation of user-space pointers or parameters. In that case, a crafted user-space application might supply an out-of-bounds address, potentially causing the kernel to access or modify unintended kernel-space memory regions. For example: 1. NuttX is built with CONFIG_MM_KERNEL_HEAP and CONFIG_ARCH_PROTECTED enabled. 2. A user-space process invokes a system call—say, foo(fd, user_buffer, length)—where user_buffer lies just beyond the legitimate user-space region. 3. The kernel dereferences this pointer without rejecting it, thereby touching protected kernel data. *Questions: **Do you consider this hypothetical lack of pointer‐validation in protected mode to represent a meaningful security concern?* Thank you for any insights you can share. I appreciate your time and all your efforts in maintaining and improving NuttX Best regards, MacTavish On Thu, Jun 12, 2025 at 10:42 AM Soap MacTavish <m4ctav...@gmail.com> wrote: > Dear NuttX Maintainers, > > I hope you’re doing well. I’m reaching out to gather your perspective on a > hypothetical scenario concerning pointer‐validation in NuttX’s protect mode. > > *Scenario Description (hypothetical):* > In protect mode, NuttX is designed to separate user-space and > kernel-space. Suppose certain system calls did not perform full validation > of user-space pointers or parameters. In that case, a crafted user-space > application might supply an out-of-bounds address, potentially causing the > kernel to access or modify unintended kernel-space memory regions. > > For example: > > 1. > > NuttX is built with CONFIG_MM_KERNEL_HEAP and CONFIG_ARCH_PROTECTED > enabled. > 2. > > A user-space process invokes a system call—say, foo(fd, user_buffer, > length)—where user_buffer lies just beyond the legitimate user-space > region. > 3. > > The kernel dereferences this pointer without rejecting it, thereby > touching protected kernel data. > > *Questions: **Do you consider this hypothetical lack of > pointer‐validation in protected mode to represent a meaningful security > concern?* > > Thank you for any insights you can share. I appreciate your time and all > your efforts in maintaining and improving NuttX > > > Best regards, > > MacTavish >
