Remove local stack variable form MPU wrappers

It was possible for a third party that had already independently gained
the ability to execute injected code to achieve further privilege
escalation by branching directly inside a FreeRTOS MPU API wrapper
function with a manually crafted stack frame. This commit removes the
local stack variable `xRunningPrivileged` so that a manually crafted
stack frame cannot be used for privilege escalation by branching
directly inside a FreeRTOS MPU API wrapper.

We thank Certibit Consulting, LLC, Huazhong University of Science and
Technology and the SecLab team at Northeastern University for reporting
this issue.

Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>

Author: aggarg

.github/lexicon.txt

@@ -2533,7 +2533,6 @@ vportgetheapstats
 vportinitialiseblocks
 vportisrstartfirststask
 vportraisebasepri
-vportresetprivilege
 vportsetmpuregistersetone
 vportsetuptimerinterrupt
 vportstartfirststask
@@ -2852,7 +2851,6 @@ xperiod
 xportgetcoreid
 xportgetfreeheapsize
 xportinstallinterrupthandler
-xportraiseprivilege
 xportregistercinterrupthandler
 xportregisterdump
 xportstartfirsttask

include/mpu_wrappers.h

@@ -170,36 +170,6 @@
         #define PRIVILEGED_DATA         __attribute__( ( section( "privileged_data" ) ) )
         #define FREERTOS_SYSTEM_CALL    __attribute__( ( section( "freertos_system_calls" ) ) )
 
-        /**
-         * @brief Calls the port specific code to raise the privilege.
-         *
-         * Sets xRunningPrivileged to pdFALSE if privilege was raised, else sets
-         * it to pdTRUE.
-         */
-        #define xPortRaisePrivilege( xRunningPrivileged )                      \
-        {                                                                      \
-            /* Check whether the processor is already privileged. */           \
-            xRunningPrivileged = portIS_PRIVILEGED();                          \
-                                                                               \
-            /* If the processor is not already privileged, raise privilege. */ \
-            if( xRunningPrivileged == pdFALSE )                                \
-            {                                                                  \
-                portRAISE_PRIVILEGE();                                         \
-            }                                                                  \
-        }
-
-        /**
-         * @brief If xRunningPrivileged is not pdTRUE, calls the port specific
-         * code to reset the privilege, otherwise does nothing.
-         */
-        #define vPortResetPrivilege( xRunningPrivileged )   \
-        {                                                   \
-            if( xRunningPrivileged == pdFALSE )             \
-            {                                               \
-                portRESET_PRIVILEGE();                      \
-            }                                               \
-        }
-
     #endif /* MPU_WRAPPERS_INCLUDED_FROM_API_FILE */
 
 #else /* portUSING_MPU_WRAPPERS */