Untitled

There is a Use-after-free vulnerability in aes256CbcEncrypt().

Details

DeviceRootKey/MAIN/provTee/src/prov/bf/bfCryptoApi_v5.c
...
int32_t aes256CbcEncrypt(const uint8_t *inData, uint32_t inDataLen, uint8_t *iv,
    uint8_t *outData, uint32_t *outDataLen, const uint8_t *key, const uint32_t keyLen, AesEncryptMode_t mode)
{
    int32_t ret = NOT_ERROR;
    size_t  lcInDataLen = 0, lcOutDataLen = 0;
    TEE_ObjectHandle teeObjHandle;
    TEE_Attribute teeAttrs;
    TEE_OperationHandle teeOpHandle;
    TEE_OperationMode cipherMode;
...
    if((ret = TEE_SetOperationKey(teeOpHandle, teeObjHandle)) != TEE_SUCCESS)     //<-- If the result of TEE_SetOperationKey() is TEE_ERROR_CORRUPT_OBJECT
    {
        LOGE("Failed to set op key with error 0x%X.", ret);
        ret = ERR_TA_BF_BASE - (ret & 0xFFFF);
        goto cleanup;
    }

    TEE_CipherInit(teeOpHandle, iv, IV_SIZE);

    if((ret = TEE_CipherDoFinal(teeOpHandle, inData, lcInDataLen, outData, &lcOutDataLen)) != TEE_SUCCESS)
    {
        *outDataLen = 0;
        LOGE("Failed to do final operation with error 0x%X.", ret);
        ret = ERR_TA_BF_BASE - (ret & 0xFFFF);
    }
    *outDataLen = lcOutDataLen;
cleanup :
    TEE_FreeTransientObject(teeObjHandle); //<-- Use-after-free happen
    TEE_FreeOperation(teeOpHandle);

    return ret;
}
...
According to the TEE Internal Core API Specification v1.1.2 document, TEE_SetOperationKey() can return the error with TEE_ERROR_CORRUPT_OBJECT.

TEE_ERROR_CORRUPT_OBJECT: If the persistent object is corrupt. The object handle is closed.

However, even if TEE_SetOperationKey() fails, the objectInfo is freed by TEE_FreeTransientObject().
Because of this, Use-after-free can happen.

Remediation
Call TEE_FreeTransientObject() when the result of TEE_SetOperationKey() is not TEE_ERROR_CORRUPT_OBJECT.