Untitled

mail@pastecode.io avatar
unknown
plain_text
22 days ago
4.6 kB
4
Indexable
Never
Summary
There is an Integer Overflow to Out-of-bounds Write vulnerability in logEncrypt().

Details

logEncrpytor.c
...
int32_t logEncrypt(uint8_t *cipherText, uint32_t cipherTextLen)
{
    int32_t ret = NOT_ERROR, len = 0;
    uint8_t *pCipherText = cipherText, *plainText = NULL, *pPlainText = NULL;
    uint32_t *pCipherTextLen = NULL, plainTextLen = 0;
    char buf[QUEUE_MAX_SIZE];
    AesKeyData keyData;
    KEY *key = NULL;

    plainTextLen = getQueueSize() + 1;  // Include NULL.
    
    if((plainText = secMemoryManagerMalloc(plainTextLen)) == NULL)
        return ERR_TA_NOT_ENOUGH_MEMORY;

    pPlainText = plainText;

    while(!isQueueEmpty() || pPlainText - plainText < plainTextLen - 1) // --> If the first condition is true, the second will not be checked
    {
        memset(buf, 0, sizeof(buf));
        ret = dequeueData(buf, sizeof(buf));
        if((len = snprintf((char *)pPlainText, plainTextLen - (pPlainText - plainText), "%s", buf)) < 0 || ret != len)     // --> If (pPlainText - plainText) is bigger than plainTextLen, an Integer Overflow will occur. As a result, The second argument of the sprint() becomes significant, leading to an out-of-bounds write.
        {
            TEE_LOG("Failed to print buffer with error %d.", len);
            ret = ERR_TA_BUFFER_OVERFLOW;
            goto cleanup;
        }
        pPlainText += ret;
    }
...
In the line "while(!isQueueEmpty() || pPlainText - plainText < plainTextLen - 1)", there is a logical OR between two conditions. If the first condition evaluates to true, then the second condition won't be checked.

However, in the if condition, we have "snprintf((char *)pPlainText, plainTextLen - (pPlainText - plainText), "%s", buf)" which calculates the offset from 'plainText' to 'pPlainText'. Since the second condition wasn't checked, this calculation might result in an integer overflow because the value of 'plainTextLen - (pPlainText - plainText)' can be a negative number that becomes significant.

As a result, The second argument of the sprint() becomes overflowing and pPlainText will have an out-of-bounds pointer, leading to an out-of-bounds write.

logEncryptor.c    ,73:plainTextLen(494) 
logEncryptor.c    ,78:plainText(128)
logEncryptor.c    ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(128) -> (0)) -> (494)
logEncryptor.c    ,95:pPlainText(172) = pPlainText(128) + ret(44) 
logEncryptor.c    ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(172) -> (44)) -> (450)
logEncryptor.c    ,95:pPlainText(216) = pPlainText(172) + ret(44) 
logEncryptor.c    ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(216) -> (88)) -> (406)
logEncryptor.c    ,95:pPlainText(260) = pPlainText(216) + ret(44) 
logEncryptor.c    ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(260) -> (132)) -> (362)
logEncryptor.c    ,95:pPlainText(304) = pPlainText(260) + ret(44) 
logEncryptor.c    ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(304) -> (176)) -> (318)
logEncryptor.c    ,95:pPlainText(348) = pPlainText(304) + ret(44) 
logEncryptor.c    ,87:sizeof(buf)(73), plainTextLen(494) - (plainText(128) - pPlainText(348) -> (220)) -> (274)
logEncryptor.c    ,95:pPlainText(421) = pPlainText(348) + ret(73) 
logEncryptor.c    ,87:sizeof(buf)(51), plainTextLen(494) - (plainText(128) - pPlainText(421) -> (293)) -> (201)
logEncryptor.c    ,95:pPlainText(472) = pPlainText(421) + ret(51) 
logEncryptor.c    ,87:sizeof(buf)(69), plainTextLen(494) - (plainText(128) - pPlainText(472) -> (344)) -> (150)
logEncryptor.c    ,95:pPlainText(541) = pPlainText(472) + ret(69) 
logEncryptor.c    ,87:sizeof(buf)(44), plainTextLen(494) - (plainText(128) - pPlainText(541) -> (413)) -> (81)
logEncryptor.c    ,95:pPlainText(585) = pPlainText(541) + ret(44) 
logEncryptor.c    ,87:sizeof(buf)(36), plainTextLen(494) - (plainText(128) - pPlainText(585) -> (457)) -> (37)
logEncryptor.c    ,95:pPlainText(621) = pPlainText(585) + ret(36) 
logEncryptor.c    ,87:sizeof(buf)(40), plainTextLen(494) - (plainText(128) - pPlainText(621) -> (493)) -> (1)
logEncryptor.c    ,95:pPlainText(661) = pPlainText(621) + ret(40) 
logEncryptor.c    ,87:sizeof(buf)(37), plainTextLen(494) - (plainText(128) - pPlainText(661) -> (533)) -> (4294967257)
Remediation
Ensure that both conditions are thoroughly checked before performing any arithmetic operations on pointers.
Utilize snprintf() with precisely considering the maximum number of bytes to copy.
Leave a Comment