Untitled

mail@pastecode.io avatar
unknown
plain_text
a month ago
3.8 kB
3
Indexable
Never
Summary
There is Null pointer dereference vulnerability in generateServiceKeyV1().

Details

cryptoPlatform.c
...
int32_t generateServiceKeyV1(struct KeyInfo *keyInfo, const uint8_t *drkBlob, const uint32_t drkBlobLen,
        uint8_t *serviceBlob, uint32_t *serviceBlobLen, const uint8_t *attrs, const uint32_t attrsLen, KeyType_t keyType)
{
    int32_t ret = NOT_ERROR;
    ServiceKeyInfo_t serviceKeyInfo;
    uint8_t plainBlob[MAX_SKM_BUF_SIZE], targetTid[MAX_TID_SIZE];
    uint32_t plainBlobLen = sizeof(plainBlob), targetTidLen = sizeof(targetTid);
#if (defined USE_QSEE_SFS)
    const char dirPath[] = COMMON_DIR"/prov_data/";
#endif  // End of USE_QSEE_SFS

    LOGI("%s start...", __func__);

    if(keyInfo == NULL)
    {
        LOGE("%s : Invalid argument.", __func__);
        return ERR_TA_INVALID_ARGUMENT;
    }
    memset(plainBlob, 0, sizeof(plainBlob));
    memset(&serviceKeyInfo, 0, sizeof(serviceKeyInfo));
//Null pointer dereference
    memcpy(serviceKeyInfo.serviceName, keyInfo->serviceName, MAX_SERVICE_NAME);
    serviceKeyInfo.serviceName[MAX_SERVICE_NAME]='\0';    
    memcpy(serviceKeyInfo.model, keyInfo->model, sizeof(serviceKeyInfo.model));
    memcpy(serviceKeyInfo.serialNo, keyInfo->serialno, sizeof(serviceKeyInfo.serialNo));
    serviceKeyInfo.keyLength = keyInfo->keyLen;
    serviceKeyInfo.keyType = keyType;

...
teeCmdExecuter.c
...
    case CMD_GENERATE_EC_SERVICE_KEY_V1 :
        if(keyType == KEY_TYPE_NONE) {
            keyType = KEY_TYPE_EC;
        }
        memcpy(&dataLen, inData + inDataLen - sizeof(uint32_t), sizeof(dataLen));
        if(dataLen > inDataLen) {
            LOGE("In data length is not proper - %d %d.", dataLen, inDataLen);
            return ERR_TA_BUFFER_OVERFLOW;
        }

        pTlv = (Tlv_t *)inData;
        if(pTlv->tag == KEYBLOB_TAG_TA_NAME) {
            if((tidLen = pTlv->dataLen) > MAX_TID_SIZE) {
                LOGE("Invalid TID length: %d", tidLen);
                return ERR_TA_INVALID_ARGUMENT;
            }
            pTlv = (Tlv_t *)(pTlv->data + pTlv->dataLen);
            pos += tidLen;
        }
        if(pTlv->tag == KEYBLOB_TAG_ATTRS) {     //When pTlv->tag is KEYBLOB_TAG_ATTRS
            attrsLen = pTlv->dataLen;
            pAttrs = pTlv->data;
            if((dataLen > attrsLen) && (pos < dataLen - attrsLen)) {
                pTlv = (Tlv_t *)(pTlv->data + pTlv->dataLen);     //pTlv is pTlv->data + pTlv->dataLen
                pos += attrsLen;
            } else {
                LOGE("Inserted data is too big - %d %d", tidLen, attrsLen);
                return ERR_TA_BUFFER_OVERFLOW;
            }
        }
        if((dataLen > sizeof(struct KeyInfo)) && (pos < dataLen - sizeof(struct KeyInfo))) {
            pKeyInfo = (uint8_t *)pTlv;
            pos += sizeof(struct KeyInfo);

            memcpy(&wrappedKeyLenV1, inData + inDataLen - sizeof(uint32_t) * 2, sizeof(wrappedKeyLenV1));

            if((dataLen > wrappedKeyLenV1) && (pos < dataLen - wrappedKeyLenV1)) {
                pWrappedKey = pKeyInfo + sizeof(struct KeyInfo);

                LOGD("dataLen = %d, tidLen = %d, attrsLen = %d, drkKeyLen = %d", dataLen, tidLen, attrsLen, wrappedKeyLenV1);

                ret = generateServiceKeyV1((struct KeyInfo *)pKeyInfo, pWrappedKey, wrappedKeyLenV1,     //pKeyInfo is pointing pTlv->data + pTlv->dataLen
                                           outData, outDataLen, pAttrs, attrsLen, keyType);
...
In generateServiceKeyV1(), pKeyInfo is used without proper verification.
If variables in struct keyInfo are NULL, Null pointer dereference can happen.

Remediation
Check for null or uninitialized pointer before dereferencing.
Add length check for pTlv->dataLen when pTlv->tag == KEYBLOB_TAG_ATTRS.
Leave a Comment