Memory allocated through alloc_temp_sec_mem() is not scrubbed when returned. One could leverage this to copy arbitrary data into this secure memory pool or to snoop former data from a previous call done by another TA (e.g. using TEE_PARAM_TYPE_MEMREF_OUTPUT allows to map the data while not overwriting it, hence accessing to what is already there).
Patches
optee_os.git
- core: scrub user-tainted memory returned by alloc_temp_sec_mem() (9348854)
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0002
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.
Memory allocated through
alloc_temp_sec_mem()is not scrubbed when returned. One could leverage this to copy arbitrary data into this secure memory pool or to snoop former data from a previous call done by another TA (e.g. usingTEE_PARAM_TYPE_MEMREF_OUTPUTallows to map the data while not overwriting it, hence accessing to what is already there).Patches
optee_os.git
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0002
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.