Untitled
unknown
plain_text
a month ago
3.8 kB
3
Indexable
Never
Summary There is Null pointer dereference vulnerability in generateServiceKeyV1(). Details cryptoPlatform.c ... int32_t generateServiceKeyV1(struct KeyInfo *keyInfo, const uint8_t *drkBlob, const uint32_t drkBlobLen, uint8_t *serviceBlob, uint32_t *serviceBlobLen, const uint8_t *attrs, const uint32_t attrsLen, KeyType_t keyType) { int32_t ret = NOT_ERROR; ServiceKeyInfo_t serviceKeyInfo; uint8_t plainBlob[MAX_SKM_BUF_SIZE], targetTid[MAX_TID_SIZE]; uint32_t plainBlobLen = sizeof(plainBlob), targetTidLen = sizeof(targetTid); #if (defined USE_QSEE_SFS) const char dirPath[] = COMMON_DIR"/prov_data/"; #endif // End of USE_QSEE_SFS LOGI("%s start...", __func__); if(keyInfo == NULL) { LOGE("%s : Invalid argument.", __func__); return ERR_TA_INVALID_ARGUMENT; } memset(plainBlob, 0, sizeof(plainBlob)); memset(&serviceKeyInfo, 0, sizeof(serviceKeyInfo)); //Null pointer dereference memcpy(serviceKeyInfo.serviceName, keyInfo->serviceName, MAX_SERVICE_NAME); serviceKeyInfo.serviceName[MAX_SERVICE_NAME]='\0'; memcpy(serviceKeyInfo.model, keyInfo->model, sizeof(serviceKeyInfo.model)); memcpy(serviceKeyInfo.serialNo, keyInfo->serialno, sizeof(serviceKeyInfo.serialNo)); serviceKeyInfo.keyLength = keyInfo->keyLen; serviceKeyInfo.keyType = keyType; ... teeCmdExecuter.c ... case CMD_GENERATE_EC_SERVICE_KEY_V1 : if(keyType == KEY_TYPE_NONE) { keyType = KEY_TYPE_EC; } memcpy(&dataLen, inData + inDataLen - sizeof(uint32_t), sizeof(dataLen)); if(dataLen > inDataLen) { LOGE("In data length is not proper - %d %d.", dataLen, inDataLen); return ERR_TA_BUFFER_OVERFLOW; } pTlv = (Tlv_t *)inData; if(pTlv->tag == KEYBLOB_TAG_TA_NAME) { if((tidLen = pTlv->dataLen) > MAX_TID_SIZE) { LOGE("Invalid TID length: %d", tidLen); return ERR_TA_INVALID_ARGUMENT; } pTlv = (Tlv_t *)(pTlv->data + pTlv->dataLen); pos += tidLen; } if(pTlv->tag == KEYBLOB_TAG_ATTRS) { //When pTlv->tag is KEYBLOB_TAG_ATTRS attrsLen = pTlv->dataLen; pAttrs = pTlv->data; if((dataLen > attrsLen) && (pos < dataLen - attrsLen)) { pTlv = (Tlv_t *)(pTlv->data + pTlv->dataLen); //pTlv is pTlv->data + pTlv->dataLen pos += attrsLen; } else { LOGE("Inserted data is too big - %d %d", tidLen, attrsLen); return ERR_TA_BUFFER_OVERFLOW; } } if((dataLen > sizeof(struct KeyInfo)) && (pos < dataLen - sizeof(struct KeyInfo))) { pKeyInfo = (uint8_t *)pTlv; pos += sizeof(struct KeyInfo); memcpy(&wrappedKeyLenV1, inData + inDataLen - sizeof(uint32_t) * 2, sizeof(wrappedKeyLenV1)); if((dataLen > wrappedKeyLenV1) && (pos < dataLen - wrappedKeyLenV1)) { pWrappedKey = pKeyInfo + sizeof(struct KeyInfo); LOGD("dataLen = %d, tidLen = %d, attrsLen = %d, drkKeyLen = %d", dataLen, tidLen, attrsLen, wrappedKeyLenV1); ret = generateServiceKeyV1((struct KeyInfo *)pKeyInfo, pWrappedKey, wrappedKeyLenV1, //pKeyInfo is pointing pTlv->data + pTlv->dataLen outData, outDataLen, pAttrs, attrsLen, keyType); ... In generateServiceKeyV1(), pKeyInfo is used without proper verification. If variables in struct keyInfo are NULL, Null pointer dereference can happen. Remediation Check for null or uninitialized pointer before dereferencing. Add length check for pTlv->dataLen when pTlv->tag == KEYBLOB_TAG_ATTRS.
Leave a Comment