1Advisory TFMV-5 2=============== 3 4+-----------------+------------------------------------------------------------+ 5| Title | ``psa_fwu_write()`` may cause buffer overflow in SPE. | 6+=================+============================================================+ 7| CVE ID | CVE-2021-43619 | 8+-----------------+------------------------------------------------------------+ 9| Public | Feb 11, 2022 | 10| Disclosure Date | | 11+-----------------+------------------------------------------------------------+ 12| Versions | From `3e7129f`_ to `921d0ea`_ | 13| Affected | | 14+-----------------+------------------------------------------------------------+ 15| Configurations | IPC model with Firmware Update partition enabled | 16+-----------------+------------------------------------------------------------+ 17| Impact | In IPC model, the caller of ``psa_fwu_write()`` from SPE | 18| | or NSPE can overwrite the stack memory outside of the | 19| | local buffer in Firmware Update partition. | 20+-----------------+------------------------------------------------------------+ 21| Fix Version | commit `78f7530`_ | 22+-----------------+------------------------------------------------------------+ 23| Credit | Mark Horvath, | 24| | Staff Software Engineer from Arm Ltd. | 25+-----------------+------------------------------------------------------------+ 26 27Background 28---------- 29 30In Firmware Update partition, the ``psa_fwu_write()`` service is declared as: 31 32.. code-block:: c 33 34 /** 35 * \brief Writes an image to its staging area. 36 * 37 * Writes the image data 'block' with length 'block_size' to its staging area. 38 * 39 * \param[in] image_id The identifier of the image 40 * \param[in] block_offset The offset of the block being passed into block, 41 * in bytes 42 * \param[in] block A buffer containing a block of image data. This 43 * might be a complete image or a subset. 44 * \param[in] block_size Size of block. The size must not be greater than 45 * PSA_FWU_MAX_BLOCK_SIZE. 46 * 47 */ 48 psa_status_t psa_fwu_write(psa_image_id_t image_id, 49 size_t block_offset, 50 const void *block, 51 size_t block_size); 52 53In IPC model, this service calls the ``tfm_fwu_write_ipc()`` API to write 54the input data into the device. In this API, the ``block_size`` bytes 55input data (in ``block`` argument) is read into a ``1024 bytes`` local 56buffer via the ``psa_read()`` API. If the input argument ``block_size`` 57is greater than ``1024``, then the memory space starting from the address 58of the local buffer with ``block_size`` bytes would be overwritten by the input 59data in ``block`` argument. 60 61Impact 62------ 63 64In IPC model, the caller of ``psa_fwu_write()`` from SPE or NSPE can overwrite 65the memory space in RAM. The overwritten memory space ranges from the address 66of the local buffer which locates at the stack of Firmware Update partition to 67the end of the RAM. The overwritten memory may include the data of SPM and 68device drivers, as well as part of the stack of Firmware Update partition. 69 70Mitigation 71---------- 72 73Add check against the input buffer length in the ``tfm_fwu_write_ipc()`` API 74before reading the input data into the local buffer. See commit `78f7530`_. 75 76.. _3e7129f: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/commit/?id=3e7129f 77.. _921d0ea: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/commit/?id=921d0ea 78.. _78f7530: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/commit/?id=78f7530 79 80--------------------- 81 82*Copyright (c) 2022, Arm Limited. All rights reserved.* 83
