Description
Category: Integer Overflow
There is a serialization library, that extract integers values, points at void * blobs into the given buffer, allowing a zero copy for 'payload' or 'blob'. e.g. function TA_deserialize_blob_akms()
Those deserializing functions are called in a row in code logic function that parses input in shared memory when receiving commands from the REE. They are using the macro 'IS_OUT_OF_BOUNDS()' to verify that the actual 'blob' that is extracted is not 'out of bound'.
Code of such deserializing functions looks like
...
if (IS_OUT_OF_BOUNDS(in, end, SIZE_LENGTH_AKMS)) {
*res = KM_ERROR_INSUFFICIENT_BUFFER_SPACE;
return in - start;
}
TEE_MemMove(&blob->data_length, in, SIZE_LENGTH_AKMS);
in += SIZE_LENGTH_AKMS;
if (IS_OUT_OF_BOUNDS(in, end, blob->data_length)) {
*res = KM_ERROR_INSUFFICIENT_BUFFER_SPACE;
return in - start;
}
...
and the IS_OUT_BOUNDS() macro is defined as
#define IS_OUT_OF_BOUNDS(ptr, end, required) (end ? (ptr + required > end) : false)
This macro does not account for integer overflow.
'required' is a size, which can come from the REE. If big enough, one can force and integer overflow and wrap pointer then pass the "ptr + required > end" test (with the actual pointer being anywhere before 'end')
Reported by
Netflix (Bastien Simondi)
Patches
km: ta: include overflow in out of bounds check
Workarounds
NA
References
NA
For more information
If you have any questions or comments about this advisory:
Description
Category: Integer Overflow
There is a serialization library, that extract integers values, points at void * blobs into the given buffer, allowing a zero copy for 'payload' or 'blob'. e.g. function TA_deserialize_blob_akms()
Those deserializing functions are called in a row in code logic function that parses input in shared memory when receiving commands from the REE. They are using the macro 'IS_OUT_OF_BOUNDS()' to verify that the actual 'blob' that is extracted is not 'out of bound'.
Code of such deserializing functions looks like
and the IS_OUT_BOUNDS() macro is defined as
This macro does not account for integer overflow.
'required' is a size, which can come from the REE. If big enough, one can force and integer overflow and wrap pointer then pass the "ptr + required > end" test (with the actual pointer being anywhere before 'end')
Reported by
Netflix (Bastien Simondi)
Patches
km: ta: include overflow in out of bounds check
Workarounds
NA
References
NA
For more information
If you have any questions or comments about this advisory: