In https://github.com/OP-TEE/optee_os/blob/master/core/pta/bcm/elog.c the command PTA_BCM_ELOG_CMD_LOAD_NITRO_FW calls the function pta_elog_load_nitro_fw().
In this function, at line 76, the value params[2].value.a, which is passed by the REE, is checked not to be larger than MAX_NITRO_FW_LOAD_MEM_SIZE. However, this value that's checked is actually never used.
At line 98, the sz value is used which is passed from the REE as well. This value cannot be an arbitrary value as it's passed in as a TEE_PARAM_TYPE_MEMREF_INPUT type. However, as the buffer is passed from the REE, the value is still under control of the REE. It's e.g. possible to pass a REE buffer that's larger than MAX_NITRO_FW_LOAD_MEM_SIZE.
There should be some restrictions on the maximum size that's copied in from REE memory to the destination address in
(probably) secure memory (i.e. BCM_NITRO_FW_LOAD_ADDR + BNXT_IMG_SECMEM_OFFSET). Most likely that's the reason for the check on line 76, but the check is clearly done with the wrong value.
The impact is that it is possible to load a (very) large firmware image which potentially overwrites something critical that's stored at a (virtual) address after the firmware's intended destination.
Patches
optee_os.git
core: pta/bcm/elog: add missing buffer size check (cd61ab7)
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2021-0002
Reported by
Niek Timmers (Raelize)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.
In https://github.com/OP-TEE/optee_os/blob/master/core/pta/bcm/elog.c the command
PTA_BCM_ELOG_CMD_LOAD_NITRO_FWcalls the functionpta_elog_load_nitro_fw().In this function, at line 76, the value
params[2].value.a, which is passed by the REE, is checked not to be larger thanMAX_NITRO_FW_LOAD_MEM_SIZE. However, this value that's checked is actually never used.At line 98, the
szvalue is used which is passed from the REE as well. This value cannot be an arbitrary value as it's passed in as aTEE_PARAM_TYPE_MEMREF_INPUTtype. However, as the buffer is passed from the REE, the value is still under control of the REE. It's e.g. possible to pass a REE buffer that's larger thanMAX_NITRO_FW_LOAD_MEM_SIZE.There should be some restrictions on the maximum size that's copied in from REE memory to the destination address in
(probably) secure memory (i.e.
BCM_NITRO_FW_LOAD_ADDR + BNXT_IMG_SECMEM_OFFSET). Most likely that's the reason for the check on line 76, but the check is clearly done with the wrong value.The impact is that it is possible to load a (very) large firmware image which potentially overwrites something critical that's stored at a (virtual) address after the firmware's intended destination.
Patches
optee_os.git
core: pta/bcm/elog: add missing buffer size check (cd61ab7)
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2021-0002
Reported by
Niek Timmers (Raelize)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.