psa_generate_key for a symmetric key of ≥1025 bytes causes a double free

[gilles-peskine-arm]

Description

Steps to reproduce: on the psa-api-1.0-beta branch, call psa_generate_key() with any symmetric key type that allows large key sizes (e.g. PSA_KEY_TYPE_RAW, PSA_KEY_TYPE_HMAC, PSA_KEY_TYPE_DERIVE) and a size of 8200 bits or more (>1024 bytes). This causes a double free inside psa_generate_key.

Impacted product: This only affects the psa-api-1.0-branch, the offending code has never been merged to the Mbed Crypto development branch and thus this does not affect any Mbed Crypto release. The bug was introduced in #263, merged on 2019-05-03, earliest tag psa-api-1.0-beta3.

Impact: this is a double free(), so it can lead to arbitrary code execution. However, the exploitability is low, possibly nonexistent in single-threaded applications with many free() implementations, because there is only a very short window of time between the two free() calls, with no other call to malloc or free in between in the same thread.

Affected applications: The bug is triggered by a failure of psa_generate_random during key generation for a symmetric key (e.g. HMAC or derive, but not asymmetric keys such as RSA). This can happen in two ways:

• If the key size is 1025 bytes or more, due to psa_generate_random fails on large requests #206.
• If the CTR_DRBG generator needs reseeding and the entropy source(s) fail, causing reseeding to fail. By default, the reseed interval for CTR_DRBG in Mbed Crypto is 10000 bytes. (Note that this is the total number of bytes generated internally, which is typically larger than the total number of bytes requested because CTR_DRBG generates a whole new block even when less than one block is requested.)

Issue request type

[ ] Question
[ ] Enhancement
[x] Bug

[ciarmcom]

Internal Jira reference: https://jira.arm.com/browse/IOTCRYPT-855

[gilles-peskine-arm]

Fixed — #197 fixes this and is now merged to psa-api-1.0-beta, which is the sole medium-term branch that had this bug,