Untitled

avatar
unknown
plain_text
10 months ago
4.6 kB
8
Indexable
Summary
There is an Integer Overflow to Out-of-bounds Write vulnerability in logEncrypt().

Details

logEncrpytor.c
...
int32_t logEncrypt(uint8_t *cipherText, uint32_t cipherTextLen)
{
    int32_t ret = NOT_ERROR, len = 0;
    uint8_t *pCipherText = cipherText, *plainText = NULL, *pPlainText = NULL;
    uint32_t *pCipherTextLen = NULL, plainTextLen = 0;
    char buf[QUEUE_MAX_SIZE];
    AesKeyData keyData;
    KEY *key = NULL;

    plainTextLen = getQueueSize() + 1;  // Include NULL.
    
    if((plainText = secMemoryManagerMalloc(plainTextLen)) == NULL)
        return ERR_TA_NOT_ENOUGH_MEMORY;

    pPlainText = plainText;

    while(!isQueueEmpty() || pPlainText - plainText < plainTextLen - 1) // --> If the first condition is true, the second will not be checked
    {
        memset(buf, 0, sizeof(buf));
        ret = dequeueData(buf, sizeof(buf));
        if((len = snprintf((char *)pPlainText, plainTextLen - (pPlainText - plainText), "%s", buf)) < 0 || ret != len)     // --> If (pPlainText - plainText) is bigger than plainTextLen, an Integer Overflow will occur. As a result, The second argument of the sprint() becomes significant, leading to an out-of-bounds write.
        {
            TEE_LOG("Failed to print buffer with error %d.", len);
            ret = ERR_TA_BUFFER_OVERFLOW;
            goto cleanup;
        }
        pPlainText += ret;
    }
...
In the line "while(!isQueueEmpty() || pPlainText - plainText < plainTextLen - 1)", there is a logical OR between two conditions. If the first condition evaluates to true, then the second condition won't be checked.

However, in the if condition, we have "snprintf((char *)pPlainText, plainTextLen - (pPlainText - plainText), "%s", buf)" which calculates the offset from 'plainText' to 'pPlainText'. Since the second condition wasn't checked, this calculation might result in an integer overflow because the value of 'plainTextLen - (pPlainText - plainText)' can be a negative number that becomes significant.

As a result, The second argument of the sprint() becomes overflowing and pPlainText will have an out-of-bounds pointer, leading to an out-of-bounds write.

logEncryptor.c    ,73:plainTextLen(494) 
logEncryptor.c    ,78:plainText(128)
logEncryptor.c    ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(128) -> (0)) -> (494)
logEncryptor.c    ,95:pPlainText(172) = pPlainText(128) + ret(44) 
logEncryptor.c    ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(172) -> (44)) -> (450)
logEncryptor.c    ,95:pPlainText(216) = pPlainText(172) + ret(44) 
logEncryptor.c    ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(216) -> (88)) -> (406)
logEncryptor.c    ,95:pPlainText(260) = pPlainText(216) + ret(44) 
logEncryptor.c    ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(260) -> (132)) -> (362)
logEncryptor.c    ,95:pPlainText(304) = pPlainText(260) + ret(44) 
logEncryptor.c    ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(304) -> (176)) -> (318)
logEncryptor.c    ,95:pPlainText(348) = pPlainText(304) + ret(44) 
logEncryptor.c    ,87:sizeof(buf)(73), plainTextLen(494) - (plainText(128) - pPlainText(348) -> (220)) -> (274)
logEncryptor.c    ,95:pPlainText(421) = pPlainText(348) + ret(73) 
logEncryptor.c    ,87:sizeof(buf)(51), plainTextLen(494) - (plainText(128) - pPlainText(421) -> (293)) -> (201)
logEncryptor.c    ,95:pPlainText(472) = pPlainText(421) + ret(51) 
logEncryptor.c    ,87:sizeof(buf)(69), plainTextLen(494) - (plainText(128) - pPlainText(472) -> (344)) -> (150)
logEncryptor.c    ,95:pPlainText(541) = pPlainText(472) + ret(69) 
logEncryptor.c    ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(541) -> (413)) -> (81)
logEncryptor.c    ,95:pPlainText(585) = pPlainText(541) + ret(44) 
logEncryptor.c    ,87:sizeof(buf)(36), plainTextLen(494) - (plainText(128) - pPlainText(585) -> (457)) -> (37)
logEncryptor.c    ,95:pPlainText(621) = pPlainText(585) + ret(36) 
logEncryptor.c    ,87:sizeof(buf)(40), plainTextLen(494) - (plainText(128) - pPlainText(621) -> (493)) -> (1)
logEncryptor.c    ,95:pPlainText(661) = pPlainText(621) + ret(40) 
logEncryptor.c    ,87:sizeof(buf)(37), plainTextLen(494) - (plainText(128) - pPlainText(661) -> (533)) -> (4294967257)
Remediation
Ensure that both conditions are thoroughly checked before performing any arithmetic operations on pointers.
Utilize snprintf() with precisely considering the maximum number of bytes to copy.
Editor is loading...
Leave a Comment