Untitled

mail@pastecode.io avatar
unknown
plain_text
a month ago
1.4 kB
3
Indexable
Never
Summary
There is Null pointer dereference vulnerability in generateServiceKeyV1().

Details

cryptoPlatform.c
...
int32_t generateServiceKeyV1(struct KeyInfo *keyInfo, const uint8_t *drkBlob, const uint32_t drkBlobLen,
        uint8_t *serviceBlob, uint32_t *serviceBlobLen, const uint8_t *attrs, const uint32_t attrsLen, KeyType_t keyType)
{
    int32_t ret = NOT_ERROR;
    ServiceKeyInfo_t serviceKeyInfo;
    uint8_t plainBlob[MAX_SKM_BUF_SIZE], targetTid[MAX_TID_SIZE];
    uint32_t plainBlobLen = sizeof(plainBlob), targetTidLen = sizeof(targetTid);
#if (defined USE_QSEE_SFS)
    const char dirPath[] = COMMON_DIR"/prov_data/";
#endif  // End of USE_QSEE_SFS

    LOGI("%s start...", __func__);

    if(keyInfo == NULL)
    {
        LOGE("%s : Invalid argument.", __func__);
        return ERR_TA_INVALID_ARGUMENT;
    }
    memset(plainBlob, 0, sizeof(plainBlob));
    memset(&serviceKeyInfo, 0, sizeof(serviceKeyInfo));
//Null pointer dereference
    memcpy(serviceKeyInfo.serviceName, keyInfo->serviceName, MAX_SERVICE_NAME);
    serviceKeyInfo.serviceName[MAX_SERVICE_NAME]='\0';    
    memcpy(serviceKeyInfo.model, keyInfo->model, sizeof(serviceKeyInfo.model));
    memcpy(serviceKeyInfo.serialNo, keyInfo->serialno, sizeof(serviceKeyInfo.serialNo));
    serviceKeyInfo.keyLength = keyInfo->keyLen;
    serviceKeyInfo.keyType = keyType;
Leave a Comment