The SHDR_GET_SIZE(), SHDR_GET_HASH() and SHDR_GET_SIG() macros could overflow depending on given x and associated hash_size, sig_size values.
Note, no other attack path than the ones reported by Riscure (not using keyword return when checking img_size and shdr_size) are identified to exploit this overflow, however it is error prone and could lead to a future vulnerability.
Patches
optee_os.git
- core: add VA overflow check in shdr_alloc_and_copy() (062765e)
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0012
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.
The
SHDR_GET_SIZE(),SHDR_GET_HASH()andSHDR_GET_SIG()macros could overflow depending on givenxand associatedhash_size,sig_sizevalues.Note, no other attack path than the ones reported by Riscure (not using keyword
returnwhen checkingimg_sizeandshdr_size) are identified to exploit this overflow, however it is error prone and could lead to a future vulnerability.Patches
optee_os.git
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0012
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.