The function tee_svc_copy_param is used to copy in parameters when a TA wants to open a session with or invoke a command upon another TA. It is used in system calls and is therefore indirectly callable by any TA. However, this function does not do sufficient parameter checking when the called TA is a pseudo TA. One of the parameters passed in is callee_params which is passed directly through from the TA. It is verified that this structure itself resides in either shared memory or memory which the calling TA has read access to. However, this structure can contain pointers as its members. The structure callee_params is first copied into the output parameter param. In the case that the called TA is a pseudo TA no further checking is done and a success code is returned. It is not verified that the members of param point to valid memory. This means there is a mismatch between the validation performed when invoking a normal TA and when invoking a pseudo TA. If a pseudo TA relies on the pointers being validated as it would be for a normal TA, it might use these pointers without further validation. This might result in memory corruption and memory disclosure.
Patches
optee_os.git
- core: svc: always check ta parameters (d5c5b0b)
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2018-0007
Reported by
Riscure
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.
The function
tee_svc_copy_paramis used to copy in parameters when a TA wants to open a session with or invoke a command upon another TA. It is used in system calls and is therefore indirectly callable by any TA. However, this function does not do sufficient parameter checking when the called TA is a pseudo TA. One of the parameters passed in iscallee_paramswhich is passed directly through from the TA. It is verified that this structure itself resides in either shared memory or memory which the calling TA has read access to. However, this structure can contain pointers as its members. The structurecallee_paramsis first copied into the output parameter param. In the case that the called TA is a pseudo TA no further checking is done and a success code is returned. It is not verified that the members of param point to valid memory. This means there is a mismatch between the validation performed when invoking a normal TA and when invoking a pseudo TA. If a pseudo TA relies on the pointers being validated as it would be for a normal TA, it might use these pointers without further validation. This might result in memory corruption and memory disclosure.Patches
optee_os.git
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2018-0007
Reported by
Riscure
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.