msg_param_mobj_from_noncontig() does not check that buf_ptr+size do not overflow. As a result, num_pages could be computed small, while size could be big. Only num_pages will be mapped/registered in the returned mobj. If the caller does not compare mobj->size with required size, it can end-up manipulating memory out of the intended region. Same rational as for 1.1 apply, one could use it to make the caller accessing memory beyond the shared memory.

E.g. set_tmem_param()->msg_param_mobj_from_nonconfig() takes the returned mobj as it is, and associate to it the size that came from the REE without checking the actual mobj->size. The outcome of this depends on memory arrangement and TA implementation.

E.g. tee_entry_std()->register_shm()->msg_param_mobj_from_noncontig(). This path should not be problematic for the discussed use case where num_pages is smaller than expected, but the buffer overflow may have other attack use cases.

E.g. thread_rpc_alloc()->get_rpc_alloc_res()->msg_param_mobj_from_noncontig(). This path provides a similar attack as discussed in “RPC alloc could allocate smaller shared memory than requested”, where the resulting mobj->size is smaller that requested/expected.

Patches

optee_os.git

• core: check for overflow in msg_param_mobj_from_noncontig() (e1509d6)

Workarounds

N/A

References

N/A

OP-TEE ID

OP-TEE-2019-0004

Reported by

Netflix (Bastien Simondi)

For more information

For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.