impalabs space base graphics
Huawei TrustZone Block_Chain TA Vulnerabilities
Tags icon Android Tags icon Huawei Tags icon TrustZone Tags icon Trustlet Tags icon Vulnerability
This advisory contains information about the following vulnerabilities:

Heap Pointer Leak in delete_node

In the delete_node function, if the node given as argument is not found in the g_chain_count_vote_head linked list, the buggy node value will be logged by calling tee_print. This will leak a heap pointer into the logs that are accessible using logcat command in the normal world.

int delete_node(cert_node_t *node) {
    // ...
    it_node = &g_chain_count_vote_head;
    while (1) {
        if (it_node->next == node)
            break;
        if (it_node->next == NULL) {
            tee_print(0, "%s %d:delete 0x%x not exit ", "[error]", 0x54, node);
            return 0;
        }
        it_node = it_node->next;
    }
    // ...
}

Memory Disclosure in bc_delete_file

The function bc_delete_file does not enforce that the storepath is NULL terminated, resulting in a potential disclosure of the memory following it. get_whole_store_path will copy into storepath a directory name and append the filename name (of size name_len) given as argument, up to the whole *path_len_p characters. Since storepath is of size 128, and storepath_len is set to 128, it is possible to set the last character of storepath. The unterminated storepath string will then be printed in one of the tee_print calls, disclosing memory into the logs.

int get_whole_store_path(char *name, size_t name_len, char *path, size_t *path_len_p, uint32_t file_type) {
    // ... (error checking is omitted) ...
    dir_name = &g_store_paths[0x44 * file_type + 4];
    dir_name_len = strlen(dir_name);
    memcpy_s(path, *path_len_p, dir_name, dir_name_len);
    memcpy_s(&path[dir_name_len], *path_len_p - dir_name_len, name, name_len);
    *path_len_p = dir_name_len + name_len;
    return 0;
}

int bc_delete_file(char *name, size_t name_len, uint32_t file_type) {
    // ... (error checking is omitted) ...
    char storepath[128];
    memset(storepath, 0, sizeof(storepath));
    storepath_len = 128;
    get_whole_store_path(name, name_len, storepath, &storepath_len, file_type);
    // ...
    tee_print(0, "%s %d:delete file: %s ", "[error]", 0x189, storepath);
    // ...
}

Affected Devices

We have verified that the vulnerabilities impacted the following device(s):

  • Kirin 990: P40 Pro (ELS)

Please note that other models might have been affected.

Patch

Name Severity CVE Patch
Heap Pointer Leak in delete_node N/A N/A N/A
Memory Disclosure in bc_delete_file N/A N/A N/A

Timeline

  • Dec. 22, 2021 - A vulnerability report is sent to Huawei PSIRT.
  • Jan. 12, 2022 - Huawei PSIRT acknowledges the vulnerability report and replies that this TA is deprecated.
  • From Nov. 30, 2022 to Jul, 19 2023 - We exchange regularly about the release of our advisories.