The function syscall_obj_generate_key is a system call which generates a cryptographic key. This system call is exposed to TAs which supply the length of the key to be generated, its type, and a number of attributes it should have. A multiplication operation involving the number of parameters is not checked for overflow which can lead to an out-of-bounds write. One of the parameters passed in by a TA is param_count. The TEE kernel locally allocates a heap buffer of size sizeof(TEE_Attribute) * param_count, without checking for an integer overflow in the multiplication. The lack of checking can result in a smaller heap buffer than required. The user supplied input usr_params is then copied into this buffer, but making the additional checks in copy_in_attrs fail can be used to terminate the copy at any moment. This allows a heap based buffer overflow with attacker controlled data written outside the boundaries of the buffer. Such corruption might allow code execution in the context of the TEE kernel.

Patches

optee_os.git

• svc: check for allocation overflow in crypto calls (a637243)

Workarounds

N/A

References

N/A

OP-TEE ID

OP-TEE-2018-0010

Reported by

Riscure

For more information

For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.