Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OP-TEE Trusted OS vulnerable to Improper Validation of Array Index in the cleanup_shm_refs function
Vulnerability Description
OP-TEE Trusted OS is the secure side implementation of OP-TEE project, a Trusted Execution Environment. Versions prior to 3.19.0, contain an Improper Validation of Array Index vulnerability. The function `cleanup_shm_refs()` is called by both `entry_invoke_command()` and `entry_open_session()`. The commands `OPTEE_MSG_CMD_OPEN_SESSION` and `OPTEE_MSG_CMD_INVOKE_COMMAND` can be executed from the normal world via an OP-TEE SMC. This function is not validating the `num_params` argument, which is only limited to `OPTEE_MSG_MAX_NUM_PARAMS` (127) in the function `get_cmd_buffer()`. Therefore, an attacker in the normal world can craft an SMC call that will cause out-of-bounds reading in `cleanup_shm_refs` and potentially freeing of fake-objects in the function `mobj_put()`. A normal-world attacker with permission to execute SMC instructions may exploit this flaw. Maintainers believe this problem permits local privilege escalation from the normal world to the secure world. Version 3.19.0 contains a fix for this issue. There are no known workarounds.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
对数组索引的验证不恰当
Vulnerability Title
OP-TEE Trusted OS 输入验证错误漏洞
Vulnerability Description
OP-TEE Trusted OS是OP-TEE开源的一个实现 Arm TrustZone 技术的开源可信执行环境(TEE)。 OP-TEE Trusted OS 3.19.0之前版本存在安全漏洞,该漏洞源于未验证“num_params”参数,导致越界读取。
CVSS Information
N/A
Vulnerability Type
N/A