Advisory TFMV-5 =============== +-----------------+------------------------------------------------------------+ | Title | ``psa_fwu_write()`` may cause buffer overflow in SPE. | +=================+============================================================+ | CVE ID | CVE-2021-43619 | +-----------------+------------------------------------------------------------+ | Public | Feb 11, 2022 | | Disclosure Date | | +-----------------+------------------------------------------------------------+ | Versions | From `3e7129f`_ to `921d0ea`_ | | Affected | | +-----------------+------------------------------------------------------------+ | Configurations | IPC model with Firmware Update partition enabled | +-----------------+------------------------------------------------------------+ | Impact | In IPC model, the caller of ``psa_fwu_write()`` from SPE | | | or NSPE can overwrite the stack memory outside of the | | | local buffer in Firmware Update partition. | +-----------------+------------------------------------------------------------+ | Fix Version | commit `78f7530`_ | +-----------------+------------------------------------------------------------+ | Credit | Mark Horvath, | | | Staff Software Engineer from Arm Ltd. | +-----------------+------------------------------------------------------------+ Background ---------- In Firmware Update partition, the ``psa_fwu_write()`` service is declared as: .. code-block:: c /** * \brief Writes an image to its staging area. * * Writes the image data 'block' with length 'block_size' to its staging area. * * \param[in] image_id The identifier of the image * \param[in] block_offset The offset of the block being passed into block, * in bytes * \param[in] block A buffer containing a block of image data. This * might be a complete image or a subset. * \param[in] block_size Size of block. The size must not be greater than * PSA_FWU_MAX_BLOCK_SIZE. * */ psa_status_t psa_fwu_write(psa_image_id_t image_id, size_t block_offset, const void *block, size_t block_size); In IPC model, this service calls the ``tfm_fwu_write_ipc()`` API to write the input data into the device. In this API, the ``block_size`` bytes input data (in ``block`` argument) is read into a ``1024 bytes`` local buffer via the ``psa_read()`` API. If the input argument ``block_size`` is greater than ``1024``, then the memory space starting from the address of the local buffer with ``block_size`` bytes would be overwritten by the input data in ``block`` argument. Impact ------ In IPC model, the caller of ``psa_fwu_write()`` from SPE or NSPE can overwrite the memory space in RAM. The overwritten memory space ranges from the address of the local buffer which locates at the stack of Firmware Update partition to the end of the RAM. The overwritten memory may include the data of SPM and device drivers, as well as part of the stack of Firmware Update partition. Mitigation ---------- Add check against the input buffer length in the ``tfm_fwu_write_ipc()`` API before reading the input data into the local buffer. See commit `78f7530`_. .. _3e7129f: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/commit/?id=3e7129f .. _921d0ea: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/commit/?id=921d0ea .. _78f7530: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/commit/?id=78f7530 --------------------- *Copyright (c) 2022, Arm Limited. All rights reserved.*