Untitled
unknown
plain_text
22 days ago
4.6 kB
4
Indexable
Never
Summary There is an Integer Overflow to Out-of-bounds Write vulnerability in logEncrypt(). Details logEncrpytor.c ... int32_t logEncrypt(uint8_t *cipherText, uint32_t cipherTextLen) { int32_t ret = NOT_ERROR, len = 0; uint8_t *pCipherText = cipherText, *plainText = NULL, *pPlainText = NULL; uint32_t *pCipherTextLen = NULL, plainTextLen = 0; char buf[QUEUE_MAX_SIZE]; AesKeyData keyData; KEY *key = NULL; plainTextLen = getQueueSize() + 1; // Include NULL. if((plainText = secMemoryManagerMalloc(plainTextLen)) == NULL) return ERR_TA_NOT_ENOUGH_MEMORY; pPlainText = plainText; while(!isQueueEmpty() || pPlainText - plainText < plainTextLen - 1) // --> If the first condition is true, the second will not be checked { memset(buf, 0, sizeof(buf)); ret = dequeueData(buf, sizeof(buf)); if((len = snprintf((char *)pPlainText, plainTextLen - (pPlainText - plainText), "%s", buf)) < 0 || ret != len) // --> If (pPlainText - plainText) is bigger than plainTextLen, an Integer Overflow will occur. As a result, The second argument of the sprint() becomes significant, leading to an out-of-bounds write. { TEE_LOG("Failed to print buffer with error %d.", len); ret = ERR_TA_BUFFER_OVERFLOW; goto cleanup; } pPlainText += ret; } ... In the line "while(!isQueueEmpty() || pPlainText - plainText < plainTextLen - 1)", there is a logical OR between two conditions. If the first condition evaluates to true, then the second condition won't be checked. However, in the if condition, we have "snprintf((char *)pPlainText, plainTextLen - (pPlainText - plainText), "%s", buf)" which calculates the offset from 'plainText' to 'pPlainText'. Since the second condition wasn't checked, this calculation might result in an integer overflow because the value of 'plainTextLen - (pPlainText - plainText)' can be a negative number that becomes significant. As a result, The second argument of the sprint() becomes overflowing and pPlainText will have an out-of-bounds pointer, leading to an out-of-bounds write. logEncryptor.c ,73:plainTextLen(494) logEncryptor.c ,78:plainText(128) logEncryptor.c ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(128) -> (0)) -> (494) logEncryptor.c ,95:pPlainText(172) = pPlainText(128) + ret(44) logEncryptor.c ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(172) -> (44)) -> (450) logEncryptor.c ,95:pPlainText(216) = pPlainText(172) + ret(44) logEncryptor.c ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(216) -> (88)) -> (406) logEncryptor.c ,95:pPlainText(260) = pPlainText(216) + ret(44) logEncryptor.c ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(260) -> (132)) -> (362) logEncryptor.c ,95:pPlainText(304) = pPlainText(260) + ret(44) logEncryptor.c ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(304) -> (176)) -> (318) logEncryptor.c ,95:pPlainText(348) = pPlainText(304) + ret(44) logEncryptor.c ,87:sizeof(buf)(73), plainTextLen(494) - (plainText(128) - pPlainText(348) -> (220)) -> (274) logEncryptor.c ,95:pPlainText(421) = pPlainText(348) + ret(73) logEncryptor.c ,87:sizeof(buf)(51), plainTextLen(494) - (plainText(128) - pPlainText(421) -> (293)) -> (201) logEncryptor.c ,95:pPlainText(472) = pPlainText(421) + ret(51) logEncryptor.c ,87:sizeof(buf)(69), plainTextLen(494) - (plainText(128) - pPlainText(472) -> (344)) -> (150) logEncryptor.c ,95:pPlainText(541) = pPlainText(472) + ret(69) logEncryptor.c ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(541) -> (413)) -> (81) logEncryptor.c ,95:pPlainText(585) = pPlainText(541) + ret(44) logEncryptor.c ,87:sizeof(buf)(36), plainTextLen(494) - (plainText(128) - pPlainText(585) -> (457)) -> (37) logEncryptor.c ,95:pPlainText(621) = pPlainText(585) + ret(36) logEncryptor.c ,87:sizeof(buf)(40), plainTextLen(494) - (plainText(128) - pPlainText(621) -> (493)) -> (1) logEncryptor.c ,95:pPlainText(661) = pPlainText(621) + ret(40) logEncryptor.c ,87:sizeof(buf)(37), plainTextLen(494) - (plainText(128) - pPlainText(661) -> (533)) -> (4294967257) Remediation Ensure that both conditions are thoroughly checked before performing any arithmetic operations on pointers. Utilize snprintf() with precisely considering the maximum number of bytes to copy.
Leave a Comment