The function syscall_asymm_verify is a system call used to verify cryptographic signatures. One of the parameters passed in by a TA is num_params. The TEE kernel locally allocates a heap buffer of size sizeof(TEE_Attribute) * num_params without checking for an integer overflow in the multiplication. The lack of checking can result in a smaller heap buffer than required. The user supplied input usr_params is then copied into this buffer, but making the additional checks in copy_in_attrs fail can be used to terminate the copy at any moment. This allows a heap based buffer overflow with attacker controlled data written outside the boundaries of the buffer. Such corruption might allow code execution in the context of the TEE kernel.

Patches

optee_os.git

• svc: check for allocation overflow in crypto calls part 2 (70697bf)

Workarounds

N/A

References

N/A

OP-TEE ID

OP-TEE-2018-0011

Reported by

Riscure

For more information

For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.