At the end of elf_load_body()
, code process relocation information segment: the relocation information are copied in a system heap memory block, associated to state->shdr
. As the computed size is the result of an uncontrolled multiplication (ehdr.e_shnum * ehdr.e_shentsize
), it could have overflowed and result in allocating a small memory block.
Later in the code, there are no MUL_OVERFLOW()
check either performed, and the code will access beyond the allocated memory. (e.g. in elf_process_rel()
) The outcome of this flaw depends on system heap memory arrangement but could be used to snoop information or alter memory.
e.g. e32_process_rel()
retrieved sym_tab_idx
from shdr[rel_sidx].sh_link
, then check if sym_tab_idx
is smaller than ehdr->e_shnum
; as the later can be as large as needed, shdr[sym_tab_idx]
can point beyond the allocated memory block. Additionally, depending on memory arrangement, one could point to shared memory, and control the targeted memory block to mount further TOCTOU attacks (for instance to set sym_tab
to an arbitrary value by updating shdr[sym_tab_idx].sh_addr
with proper timing).
Patches
optee_os.git
- core: elf_load_body(): use MUL_OVERFLOW() to get size of section headers (5787ecd)
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0016
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.
At the end of
elf_load_body()
, code process relocation information segment: the relocation information are copied in a system heap memory block, associated tostate->shdr
. As the computed size is the result of an uncontrolled multiplication (ehdr.e_shnum * ehdr.e_shentsize
), it could have overflowed and result in allocating a small memory block.Later in the code, there are no
MUL_OVERFLOW()
check either performed, and the code will access beyond the allocated memory. (e.g. inelf_process_rel()
) The outcome of this flaw depends on system heap memory arrangement but could be used to snoop information or alter memory.e.g.
e32_process_rel()
retrievedsym_tab_idx
fromshdr[rel_sidx].sh_link
, then check ifsym_tab_idx
is smaller thanehdr->e_shnum
; as the later can be as large as needed,shdr[sym_tab_idx]
can point beyond the allocated memory block. Additionally, depending on memory arrangement, one could point to shared memory, and control the targeted memory block to mount further TOCTOU attacks (for instance to setsym_tab
to an arbitrary value by updatingshdr[sym_tab_idx].sh_addr
with proper timing).Patches
optee_os.git
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0016
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.