This is not just restricted to pointers but to any data type that requires memory accesses... For example, Anything passed by reference, structures passed by value, data allocated in user space.
References: https://github.com/apache/nuttx/issues/1329 https://github.com/apache/nuttx/issues/1266 ________________________________ From: Alan C. Assis <acas...@gmail.com> Sent: Thursday, June 12, 2025 7:50 AM To: dev <dev@nuttx.apache.org> Cc: MacTavish <m4ctav...@gmail.com> Subject: Re: Inquiry About Hypothetical Pointer‐Validation in NuttX Protect Mode Dear MacTavish, I'm redirecting your question to nuttx dev mailing list, that mailing you used is for PMC usage purpose: Dear NuttX Maintainers, I hope you’re doing well. I’m reaching out to gather your perspective on a hypothetical scenario concerning pointer‐validation in NuttX’s protect mode. *Scenario Description (hypothetical):* In protect mode, NuttX is designed to separate user-space and kernel-space. Suppose certain system calls did not perform full validation of user-space pointers or parameters. In that case, a crafted user-space application might supply an out-of-bounds address, potentially causing the kernel to access or modify unintended kernel-space memory regions. For example: 1. NuttX is built with CONFIG_MM_KERNEL_HEAP and CONFIG_ARCH_PROTECTED enabled. 2. A user-space process invokes a system call—say, foo(fd, user_buffer, length)—where user_buffer lies just beyond the legitimate user-space region. 3. The kernel dereferences this pointer without rejecting it, thereby touching protected kernel data. *Questions: **Do you consider this hypothetical lack of pointer‐validation in protected mode to represent a meaningful security concern?* Thank you for any insights you can share. I appreciate your time and all your efforts in maintaining and improving NuttX Best regards, MacTavish On Thu, Jun 12, 2025 at 10:42 AM Soap MacTavish <m4ctav...@gmail.com> wrote: > Dear NuttX Maintainers, > > I hope you’re doing well. I’m reaching out to gather your perspective on a > hypothetical scenario concerning pointer‐validation in NuttX’s protect mode. > > *Scenario Description (hypothetical):* > In protect mode, NuttX is designed to separate user-space and > kernel-space. Suppose certain system calls did not perform full validation > of user-space pointers or parameters. In that case, a crafted user-space > application might supply an out-of-bounds address, potentially causing the > kernel to access or modify unintended kernel-space memory regions. > > For example: > > 1. > > NuttX is built with CONFIG_MM_KERNEL_HEAP and CONFIG_ARCH_PROTECTED > enabled. > 2. > > A user-space process invokes a system call—say, foo(fd, user_buffer, > length)—where user_buffer lies just beyond the legitimate user-space > region. > 3. > > The kernel dereferences this pointer without rejecting it, thereby > touching protected kernel data. > > *Questions: **Do you consider this hypothetical lack of > pointer‐validation in protected mode to represent a meaningful security > concern?* > > Thank you for any insights you can share. I appreciate your time and all > your efforts in maintaining and improving NuttX > > > Best regards, > > MacTavish >
