The function set_rmem_param is a helper function used when copying parameters locally for TA calls. It is used when a parameter is a buffer of type rmem. The function receives an input parameter param from the REE and an output parameter mem. After finding the shared memory object referenced by param the offset and size members of param are copied into mem as is. There is no validation done to ensure that these members actually do reside in shared memory. There is no further checking done on param before it gets passed on to the TA through the function pointer sess->ctx->ops->enter_invoke_cmd in the function tee_ta_invoke_command. How this problem manifests itself is very dependent on how the passed parameters are used by the TA. However, it could lead to corruption of any memory which the TA can access.
Patches
optee_os.git
- core: ensure that supplied range matches MOBJ (e3adcf5)
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2018-0004
Reported by
Riscure
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.
The function
set_rmem_paramis a helper function used when copying parameters locally for TA calls. It is used when a parameter is a buffer of type rmem. The function receives an input parameter param from the REE and an output parameter mem. After finding the shared memory object referenced by param the offset and size members of param are copied into mem as is. There is no validation done to ensure that these members actually do reside in shared memory. There is no further checking done on param before it gets passed on to the TA through the function pointersess->ctx->ops->enter_invoke_cmdin the function tee_ta_invoke_command. How this problem manifests itself is very dependent on how the passed parameters are used by the TA. However, it could lead to corruption of any memory which the TA can access.Patches
optee_os.git
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2018-0004
Reported by
Riscure
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.