ROUNDUP operations while adding the stack segment could overflow. Inside load_elf_from_store(), the ta_head structure is retrieved from un-authenticated area, and contains the stack size. The stack size could either already be 0, or could be large enough so it become 0 when rounded up to STACK_ALIGNMENT.
When allocating the memory using alloc_ta_mem(), which can allocate a 0 bytes size memory block. The code then call vm_map() to actually add the stack segment, and provide the stack_size (which can be 0, or very large if CFG_PAGED_USER_TA is used) as an argument. vm_map() logic round up the size again to SMALL_PAGE_SIZE (which is larger than STACK_ALIGNMENT). Again here, the size could either already be 0, or end-up being 0.
vm_map() will in either way return a virtual address to the caller for this 0 bytes memory block. Now there is a disconnection between, ta_head->stack_size, mobj_stack->size and reg->size=3D0, which all 3 could contain different values. Consequence on having a disconnection between the various values, or having a 0 bytes stack size has not been analyzed.
Patches
optee_os.git
- core: load_elf_from_store(): check stack size (b17e2e4)
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0011
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.
ROUNDUPoperations while adding the stack segment could overflow. Insideload_elf_from_store(), theta_headstructure is retrieved from un-authenticated area, and contains the stack size. The stack size could either already be 0, or could be large enough so it become 0 when rounded up toSTACK_ALIGNMENT.When allocating the memory using
alloc_ta_mem(), which can allocate a 0 bytes size memory block. The code then callvm_map()to actually add the stack segment, and provide thestack_size(which can be 0, or very large ifCFG_PAGED_USER_TAis used) as an argument.vm_map()logic round up the size again toSMALL_PAGE_SIZE(which is larger thanSTACK_ALIGNMENT). Again here, the size could either already be 0, or end-up being 0.vm_map()will in either way return a virtual address to the caller for this 0 bytes memory block. Now there is a disconnection between,ta_head->stack_size,mobj_stack->sizeandreg->size=3D0, which all 3 could contain different values. Consequence on having a disconnection between the various values, or having a 0 bytes stack size has not been analyzed.Patches
optee_os.git
Workarounds
N/A
References
N/A
OP-TEE ID
OP-TEE-2019-0011
Reported by
Netflix (Bastien Simondi)
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.