During the RPMB initialization process, the TEE request the REE for some of the device information (tee_rpmb_init()->tee_rpmb_get_dev_info()->tee_rpmb_invoke()) The returned information from the REE (struct rpmb_dev_info) is not checked and some of the fields are used in multiplication, also used to compute rpmb_ctx->rel_wr_blkcnt which could end up being 0 or very large.

At run time, controlling rel_wr_blkcnt is also important as it leads to better control in sub functions used later in the code, like inside tee_rpmb_write_blk(). All of the operations should there be under tight control and make use of the xxx_OVERFLOW() macros as much as possible, this includes computing blkcnt, req_size, tmp_blkcnt, etc.

Patches

optee_os.git

• core: RPMB FS: check for potential overflows (ea81076)

Workarounds

N/A

References

N/A

OP-TEE ID

OP-TEE-2019-0007

Reported by

Netflix (Bastien Simondi)

For more information

For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.