impalabs space base graphics
Huawei TrustZone CHINADRM_KEY_TA Vulnerability
Tags icon Android Tags icon Huawei Tags icon TrustZone Tags icon Trustlet Tags icon Vulnerability
This advisory contains information about the following vulnerabilities:

TEE_Param Output Buffer Overflow in TZ_CDRM_KeyPrivateKeyDecrypt

In the TZ_CDRM_KeyPrivateKeyDecrypt function, the size of third TEE_Param, which is an output buffer, is forcefully set to 0x100. The function doesn't check if the actual size of the output buffer is bigger than 0x100, only that it is smaller than 0x500000.

int TZ_CDRM_KeyPrivateKeyDecrypt(
        int ival0_a,
        int ival0_b,
        void *ibuf1_addr,
        size_t ibuf1_size,
        void *ibuf2_addr,
        size_t ibuf2_size,
        void *obuf3_addr,
        size_t *obuf3_size_p)
{
    // ...
    if (*obuf3_size_p > 0x500000) { /* ... */ }
    // ...
    CDRM_KeyGetKeyNode(ival0_a, &cdrmNode);
    // ...
    if (((ival0_b == 4 || ival0_b == 5) && cdrmNode->prvKeyBuf_len > 0xC0) {
        *obuf3_size_p = 0x100;
        return CDRM_KeyRsaPrivateKeyDecrypt(
            cdrmNode,
            ibuf1_addr,
            ibuf2_addr,
            ibuf2_size,
            obuf3_addr,
            obuf3_size_p);
    }
    // ...
}

As a result, CDRM_KeyRsaPrivateKeyDecrypt and the functions it calls, can overflow the output buffer.

int CDRM_KeyRsaPrivateKeyDecrypt(
        CDRM_KeyNode_t *cdrmNode,
        void *ibuf1_addr,
        void *ibuf2_addr,
        size_t ibuf2_size,
        void *obuf3_addr,
        size_t *obuf3_size_p)
{
    // ...
    CDRMR_Crypto_RsaDecrypt(4, key, ibuf2_addr, ibuf2_size, obuf3_addr, obuf3_size_p);
    // ...
}

int CDRMR_Crypto_RsaDecrypt(
        int a1,
        void *key,
        const void *srcData,
        uint32_t srcLen,
        void *destData,
        uint32_t *destLen_p)
{
    // ...
    TEE_AsymmetricDecrypt(operation, &attr, 1, srcData, srcLen, destData, &destLen);
    // ...
}

Because each TEE_Param is located on its own set of memory pages, this won't have a visible impact (e.g. a crash). Thus, we did not attempt to trigger the vulnerability.

Affected Devices

We have verified that the vulnerability impacted the following device(s):

  • Kirin 990: P40 Pro (ELS)

Please note that other models might have been affected.

Patch

Name Severity CVE Patch
TEE_Param Output Buffer Overflow in TZ_CDRM_KeyPrivateKeyDecrypt Low N/A Fixed

Timeline

  • Dec. 14, 2021 - A vulnerability report is sent to Huawei PSIRT.
  • Jan. 12, 2022 - Huawei PSIRT acknowledges the vulnerability report.
  • From Nov. 30, 2022 to Jul, 19 2023 - We exchange regularly about the release of our advisories.