N/A

An issue was discovered in Trusted Firmware-M through 2.1.0. User provided (and controlled) mailbox messages contain a pointer to a list of input arguments (in_vec) and output arguments (out_vec). These list pointers are never validated. Each argument list contains a buffer pointer and a buffer length field. After a PSA call, the length of the output arguments behind the unchecked pointer is updated in mailbox_direct_reply, regardless of the call result. This allows an attacker to write anywhere in the secure firmware, which can be used to take over the control flow, leading to remote code execution (RCE).

N/A

N/A

Linaro Trusted Firmware-M 安全漏洞

Linaro Trusted Firmware-M（Tf-M）是英国Linaro公司的一个平台安全架构 (Psa) 物联网安全框架的参考实现。 Linaro Trusted Firmware-M 2.1.0版本存在安全漏洞，该漏洞源于没有验证用户提供的in_vec和out_vec列表的指针。攻击者利用该漏洞可以远程执行代码。

N/A

N/A