Description

Category: Sanity Checks

Issue 1
In file keystore_ta.c, in functions like TA_configure(), in and out should be checked to be != NULL before being dereferenced / access (example source or destination of a memory operation).

Note: same issue applies to everywhere parameters from the REE are accessed without sanity checks. e.g. TA_generateKey() ...

Issue 2
In file keystore_ta.c, in functions like TA_generateKey(), exit label proposed change: sanitize out before processing.

Example 'patched' code:

    exit:
        if (NULL != out) {  // <-- ADD this check
            out += TA_serialize_rsp_err(out, &res);
            if (res == KM_ERROR_OK) {
                out += TA_serialize_key_blob_akms(out, &key_blob);
                out += TA_serialize_characteristics_akms(out, &characts);
            }
            params[1].memref.size = out - (uint8_t *)params[1].memref.buffer;
        }
        if (key_material)
            TEE_Free(key_material);
        TA_free_params(&characts.sw_enforced);
        TA_free_params(&characts.hw_enforced);
        TA_free_params(&params_t);

        return res;

Note: same comments apply for all command handlers. Everywhere out should be sanitized in the error/exit handler.

Reported by

Netflix (Bastien Simondi)

Patches

km: add missing sanity check

Note: The above patch fixes issue 1 and obsoletes issue 2, since by checking in and out for != NULL on function entry before dereferencing/accessing them, and returning error if = NULL, there is no need to check out again on the exit label.

Workarounds

NA

References

NA

For more information

If you have any questions or comments about this advisory:

• Open an issue in kmgk/issues
• Email us at swg-team