Advisory TFMV-5
Title |
|
|---|---|
CVE ID |
CVE-2021-43619 |
Public Disclosure Date |
Feb 11, 2022 |
Versions Affected |
|
Configurations |
IPC model with Firmware Update partition enabled |
Impact |
In IPC model, the caller of |
Fix Version |
commit 78f7530 |
Credit |
Mark Horvath, Staff Software Engineer from Arm Ltd. |
Background
In Firmware Update partition, the psa_fwu_write() service is declared as:
/**
* \brief Writes an image to its staging area.
*
* Writes the image data 'block' with length 'block_size' to its staging area.
*
* \param[in] image_id The identifier of the image
* \param[in] block_offset The offset of the block being passed into block,
* in bytes
* \param[in] block A buffer containing a block of image data. This
* might be a complete image or a subset.
* \param[in] block_size Size of block. The size must not be greater than
* PSA_FWU_MAX_BLOCK_SIZE.
*
*/
psa_status_t psa_fwu_write(psa_image_id_t image_id,
size_t block_offset,
const void *block,
size_t block_size);
In IPC model, this service calls the tfm_fwu_write_ipc() API to write
the input data into the device. In this API, the block_size bytes
input data (in block argument) is read into a 1024 bytes local
buffer via the psa_read() API. If the input argument block_size
is greater than 1024, then the memory space starting from the address
of the local buffer with block_size bytes would be overwritten by the input
data in block argument.
Impact
In IPC model, the caller of psa_fwu_write() from SPE or NSPE can overwrite
the memory space in RAM. The overwritten memory space ranges from the address
of the local buffer which locates at the stack of Firmware Update partition to
the end of the RAM. The overwritten memory may include the data of SPM and
device drivers, as well as part of the stack of Firmware Update partition.
Mitigation
Add check against the input buffer length in the tfm_fwu_write_ipc() API
before reading the input data into the local buffer. See commit 78f7530.
Copyright (c) 2022, Arm Limited. All rights reserved.