Session context virtual address is returned to the REE in entry_open_session(); it is then used back in entry_close_session() and entry_invoke_command().

Sharing virtual addresses with the REE leads to virtual memory addresses disclosure that could be leverage to defeat ASLR and/or mount an attack. Exchanging virtual addresses between REE and TEE is generally a bad idea, it discloses TEE internal virtual addresses and flows info which could lead to future vulnerabilities if any error is made while verifying or manipulating the exchanged virtual address.

Additionally, a vaddr_t is used to carry the virtual address, which on a 64bits could overflow/swap as the session id is a uint32_t (see tee_ta_get_session()) and have other side-effects on the execution (being non-unique | N to 1).

Patches

optee_os.git

• core: do not use virtual addresses as session identifier (99164a0)

Workarounds

N/A

References

N/A

OP-TEE ID

OP-TEE-2019-0014

Reported by

Netflix (Bastien Simondi)

For more information

For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.