1Advisory TFMV-8
2===============
3
4+-----------------+------------------------------------------------------------+
5| Title           | Unchecked user-supplied pointer via mailbox messages may   |
6|                 | cause write of arbitrary address.                          |
7+=================+============================================================+
8| CVE ID          | `CVE-2024-45746`_                                          |
9+-----------------+------------------------------------------------------------+
10| Public          | October 02, 2024                                           |
11| Disclosure Date |                                                            |
12+-----------------+------------------------------------------------------------+
13| Versions        | All version from TF-Mv1.6.0 up to TF-Mv2.1.0 inclusive     |
14| Affected        |                                                            |
15+-----------------+------------------------------------------------------------+
16| Configurations  | Platforms with standard mailbox dispatcher                 |
17|                 | ``tfm_spe_mailbox``.                                       |
18+-----------------+------------------------------------------------------------+
19| Impact          | The mailbox message could contain arbitrary pointers which,|
20|                 | in case of psa_call failure, would lead to write to a      |
21|                 | user-specified adddress in memory.                         |
22+-----------------+------------------------------------------------------------+
23| Fix Version     | 5ae0a02e8 TF-M v2.1.1                                      |
24+-----------------+------------------------------------------------------------+
25| Credit          | Infineon Technologies AG, in collaboration with: Tobias    |
26|                 | Scharnowski, Simon Wörner and Johannes Willbold from       |
27|                 | fuzzware.io.                                               |
28+-----------------+------------------------------------------------------------+
29
30Background
31----------
32
33The psa_call message through the mailbox contains input/output vectors along
34with their respective lengths. This message is provided by a NSPE client.
35SPE takes the message and pass it to the mailbox dispatcher (tfm_spe_mailbox),
36which handles the message by performing a copy of the i/o vectors into local
37arrays. When either the client_id translation or the psa_call fails, the
38dispatcher replies immediately to the client. At that moment, the outvec is
39written back for its given length, which may not have been sanitized beforehand,
40resulting in arbitrary access of memory if the provided length goes beyond the
41legit vector size.
42
43Impact
44------
45
46When the dispatcher in tfm_spe_mailbox is used, a user through mailbox could
47write into arbitrary address by first placing the malicious data into the local
48vectors with a bad message, then subsequently sending a psa_call with an invalid
49vector length. If both calls fail, the reply routine in tfm_spe_mailbox could
50take the injected data and write it into a desired location specified by the
51invalid length.
52Note that the above sequence would require sending the two mesages through two
53different mailbox slots.
54
55Mitigation
56----------
57
58Ensure that the outvec is written back only when the psa operation is
59successful. Any errors ahead of replying must be taken as a hint to avoid such
60write-back since they may be due to wrong supplied user-data in the vectors
61(pointers, length etc).
62To achieve the above, proper sanitization of input data must also be performed
63and related errors propagated to the reply subroutine.
64
65.. _CVE-2024-45746: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45746
66
67---------------------
68
69*Copyright (c) 2024, Arm Limited. All rights reserved.*
70