I was looking at the default MPU configuration for ARM Cortex M-4 microcontrollers in FreeRTOS, I have the following questions regarding it:
It seems that the configuration for the priviliged data is (rwx for priviliged only) and the user stack is (rwx). This means that malicous code injection is possible, I am wondering what is the reason behind this configuration?(why is write XOR execute not enforced)
Are you referring to the fact that portMPUREGIONPRIVILEGEDREADWRITE
sets the AP field of the MPU_RASR register to 1, but leaves XN at 0?
It is feasible that a legitimate program would want to copy executable
code to, and then execute that code from, the privileged RAM. As an
example, that would be necessary if the application was re-programming
the flash memory, making execution from flash temporarily impossible.
An unprivileged application could not write executable code to the
privileged RAM though (I'm not sure if unprivileged code could execute
code from privileged RAM it didn't have read access to though, I would
have to check the documentation).
I know from ARM's documents to execute code read access is required, so unprivileged code will not be able to execute code from privileged RAM. However, it looks like for the default configuration an unprivileged thread is able to write code to unprivileged RAM and then execute it. Is there anything preventing this?
I think unprivileged code would expect to be able to write and execute from unprivileged RAM, doing so would not give it the ability to do anything more than it could do already. It could not make itself privileged by doing that.