There is a risk of integer overflows in the following locations.
copy_in_attrs(): if a very large attr_count is given, the following operation overflows: attr_count * sizeof(struct utee_attribute)syscall_cryp_obj_populate(): if a very large attr_count is given, the following operation overflows sizeof(TEE_Attribute) * attr_countsyscall_asymm_verify(), syscall_asymm_operate(): if a very large num_params is given, the following operation overflows sizeof(TEE_Attribute) * num_paramssyscall_cryp_derive_key(), syscall_obj_generate_key(): if a very large param_count is given, the following operation overflows sizeof(TEE_Attribute) * param_countsyscall_cryp_derive_key(): if a very large params[0].content.ref.length is given, the following overflows params[0].content.ref.length * 8 (this is probably not realistic as params[0].content.ref.len is checked to some extend during attrs copy)
Patches
optee_os.git
- core: crypto: add overflow check when copying attributes (bd81e5b)
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0009
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.
There is a risk of integer overflows in the following locations.
copy_in_attrs(): if a very largeattr_countis given, the following operation overflows:attr_count * sizeof(struct utee_attribute)syscall_cryp_obj_populate(): if a very largeattr_countis given, the following operation overflowssizeof(TEE_Attribute) * attr_countsyscall_asymm_verify(),syscall_asymm_operate(): if a very largenum_paramsis given, the following operation overflowssizeof(TEE_Attribute) * num_paramssyscall_cryp_derive_key(),syscall_obj_generate_key(): if a very largeparam_countis given, the following operation overflowssizeof(TEE_Attribute) * param_countsyscall_cryp_derive_key(): if a very largeparams[0].content.ref.lengthis given, the following overflowsparams[0].content.ref.length * 8(this is probably not realistic asparams[0].content.ref.lenis checked to some extend during attrs copy)Patches
optee_os.git
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0009
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.