The function syscall_cryp_obj_populate is a system call which initializes the attributes of a cryptographic object. This system call is exposed to TAs which supply a reference to the crypto object to be populated along with a number of attributes it must posses. The number of attributes is used as part of the multiplication to allocate memory. It is not checked for an overflow, which can lead to an out-of-bounds write. One of the parameters passed in by a TA is attr_count. The TEE kernel locally allocates a heap buffer of size sizeof(TEE_Attribute) * attr_count without checking for an integer overflow in the multiplication. The lack of checking can result in a smaller heap buffer than required. The user supplied input usr_attrs is then copied into this buffer, but making the additional checks in copy_in_attrs fail can be used to terminate the copy at any moment. This allows a heap based buffer overflow with attacker controlled data written outside the boundaries of the buffer. Such corruption might allow code execution in the context of the TEE kernel.

Patches

optee_os.git

• core: svc: check for allocation overflow in syscall_cryp_obj_populate (b60e1ce)

Workarounds

N/A

References

N/A

OP-TEE ID

OP-TEE-2018-0009

Reported by

Riscure

For more information

For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.