At the end of elf_load_body(), code process relocation information segment: the relocation information are copied in a system heap memory block, associated to state->shdr. As the computed size is the result of an uncontrolled multiplication (ehdr.e_shnum * ehdr.e_shentsize), it could have overflowed and result in allocating a small memory block.

Later in the code, there are no MUL_OVERFLOW() check either performed, and the code will access beyond the allocated memory. (e.g. in elf_process_rel()) The outcome of this flaw depends on system heap memory arrangement but could be used to snoop information or alter memory.

e.g. e32_process_rel() retrieved sym_tab_idx from shdr[rel_sidx].sh_link, then check if sym_tab_idx is smaller than ehdr->e_shnum; as the later can be as large as needed, shdr[sym_tab_idx] can point beyond the allocated memory block. Additionally, depending on memory arrangement, one could point to shared memory, and control the targeted memory block to mount further TOCTOU attacks (for instance to set sym_tab to an arbitrary value by updating shdr[sym_tab_idx].sh_addr with proper timing).

Patches

optee_os.git

• core: elf_load_body(): use MUL_OVERFLOW() to get size of section headers (5787ecd)

Workarounds

N/A

References

N/A

OP-TEE ID

OP-TEE-2019-0016

Reported by

Netflix (Bastien Simondi)

For more information

For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.