The function tee_mmu_check_access_rights is used to check access rights to a given memory region. This function is used when a TA performs a system call to verify that the TA has the correct access rights to the buffer it provides. However, the function tee_mmu_check_access_rights does not check every page of the TA provided buffer. A TA provides a buffer as a pointer (uaddr) and a length (a). The provided buffer is checked piecewise in increments of addr_incr (4KiB) in a for-loop. In the case where len is not already page aligned, the termination condition a < (uaddr + len) has been passed when addr_incr is added the last time of the loop iteration. Therefore, the final page of the TA provided buffer is not checked. A TA could provide a buffer of which up to 4KiB resides in the context of the TEE kernel or another TA. This could lead to memory corruption of the TEE itself or another TA. Memory corruption vulnerabilities can have serious impact such as allowing runtime control.
Patches
optee_os.git
- core: tee_mmu_check_access_rights() check all pages (95f36d6)
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2018-0005
Reported by
Riscure
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.
The function
tee_mmu_check_access_rightsis used to check access rights to a given memory region. This function is used when a TA performs a system call to verify that the TA has the correct access rights to the buffer it provides. However, the functiontee_mmu_check_access_rightsdoes not check every page of the TA provided buffer. A TA provides a buffer as a pointer (uaddr) and a length (a). The provided buffer is checked piecewise in increments of addr_incr (4KiB) in a for-loop. In the case where len is not already page aligned, the termination condition a < (uaddr + len) has been passed when addr_incr is added the last time of the loop iteration. Therefore, the final page of the TA provided buffer is not checked. A TA could provide a buffer of which up to 4KiB resides in the context of the TEE kernel or another TA. This could lead to memory corruption of the TEE itself or another TA. Memory corruption vulnerabilities can have serious impact such as allowing runtime control.Patches
optee_os.git
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2018-0005
Reported by
Riscure
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.