Functions like syscall_log(), syscall_open_ta_session(), syscall_get_property() etc. can be used to poison kernel heap memory. Data copied from userland is not scrubbed when the syscall returns. e.g. when doing syscall_log() one can copy arbitrary data of variable length onto kernel memory. When free() is called, the block is returned to the memory pool, tainted with that userland data.
Patches
optee_os.git
- core: scrub user-tainted kernel heap memory before freeing it (70b6131)
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0003
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.
Functions like
syscall_log(),syscall_open_ta_session(),syscall_get_property()etc. can be used to poison kernel heap memory. Data copied from userland is not scrubbed when the syscall returns. e.g. when doingsyscall_log()one can copy arbitrary data of variable length onto kernel memory. Whenfree()is called, the block is returned to the memory pool, tainted with that userland data.Patches
optee_os.git
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0003
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.