The macro MOBJ_REG_SHM_SIZE() could overflow depending on nr_pages, e.g. mobj_mapped_shm_alloc()->mobj_reg_shm_alloc() called in various places. In such case, the mobj_reg_shm memory would be a small memory block, while num_pages would be large, which could lead to a generous memcpy() when copying the pages in internal memory, the outcome of this depends on memory mapping.
Note, no attack path are identified to exploit this overflow, however it is error prone and could lead to a future vulnerability.
Patches
optee_os.git
- core: add overflow check in mobj_reg_shm_alloc() (8ad7af5)
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0013
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.
The macro
MOBJ_REG_SHM_SIZE()could overflow depending onnr_pages, e.g.mobj_mapped_shm_alloc()->mobj_reg_shm_alloc()called in various places. In such case, themobj_reg_shmmemory would be a small memory block, whilenum_pageswould be large, which could lead to a generousmemcpy()when copying the pages in internal memory, the outcome of this depends on memory mapping.Note, no attack path are identified to exploit this overflow, however it is error prone and could lead to a future vulnerability.
Patches
optee_os.git
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0013
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.