vm_map() and umap_add_region() do not check that given offs + ROUNDUP(len…) do not overflow. As a result the check to see if the region is in within a given memory object can be bypassed and both offset and/or size parameters could be very large.
This could be leverage to alter the intended behavior of functions using either the region size or the region offset, like tee_mmu_user_pa2va_helper() for instance.
Patches
optee_os.git
- core: umap_add_region(): add overflow check (bcc81cf)
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0017
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.
vm_map()andumap_add_region()do not check that givenoffs + ROUNDUP(len…)do not overflow. As a result the check to see if the region is in within a given memory object can be bypassed and both offset and/or size parameters could be very large.This could be leverage to alter the intended behavior of functions using either the region size or the region offset, like
tee_mmu_user_pa2va_helper()for instance.Patches
optee_os.git
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0017
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.