impalabs space base graphics
Huawei TrustZone Ifaa Vulnerability
Tags icon Android Tags icon Huawei Tags icon TrustZone Tags icon Trustlet Tags icon Vulnerability
This advisory contains information about the following vulnerabilities:

Stack Buffer Overflow in parcel_read_ifaa_cert

The parcel_read_ifaa_cert function is used to parse a certificate from a user-controlled parcel.

int parcel_read_ifaa_cert(parcel_t *parcel_in, cert_t *cert) {
    // ...error checking omitted...
    parcel_read_uint32(parcel_in, &cert->size_n);
    parcel_read(parcel_in, cert->n, cert->size_n);
    parcel_read_uint32(parcel_in, &cert->size_e);
    parcel_read(parcel_in, cert->e, cert->size_e);
    parcel_read_uint32(parcel_in, &cert->sign_len);
    parcel_read(parcel_in, cert->sign, cert->sign_len);
    // ...
}

It will fill a cert_t structure with the information extracted from the parcel. The structure fields have a fixed maximum size, and the function will read the actual size from the parcel, before copying the data into the appropriate field. The function doesn't check if the size read from the parcel is smaller than the fixed maximum size.

struct cert_t
{
  int enc_alg;
  int size_n;
  char n[256];
  int size_e;
  char e[256];
  char sign[256];
  int sign_len;
};

Since the cert_t structure is allocated on the stack in the caller function ifaa_decode_cert_chain_inner it will result in a stack buffer overflow.

int ifaa_decode_cert_chain_inner(parcel_t *parcel_in, cert_chain_t *chain) {
    // ...
    cert_t cert;
    // ...
    parcel_read_cert(parcel_in, &cert);
    // ...

int parcel_read_cert(parcel_t *parcel_in, cert_t *cert) {
    // ...
    return parcel_read_ifaa_cert(parcel_in, cert);
}

Proof of concept code triggering this stack buffer overflow results in the following crash:

[HM] lv = 3a703fc
[HM] ======================Fatal Error===================
[HM] Crash: __stack_chk_fail
[HM] [ERROR][2519]process 1e00000028 (tid: 40) instruction fault: 
[HM] [ERROR][2520]Bad addr: 0xffffff9da0a01c94
[HM] Dump task states for tcb
[HM] ----------
[HM]     name=[ifaa] tid=40 is-idle=0 is-curr=0
[HM]     state=BLOCKED@MEMFAULT sched.pol=0 prio=46 queued=1
[HM]     aff[0]=ff
[HM]     flags=1000 smc-switch=0 ca=8382 prefer-ca=8382
[HM] Registers dump:
[HM] ----------
[HM] 32 bits userspace stack dump:
[HM] ----------
[HM] <__stack_chk_fail+0x3c/0x40>
[HM] <__stack_chk_fail>+0x38/0x40
[HM] Dump task states END
[HM]

Affected Devices

We have verified that the vulnerability impacted the following device(s):

  • Kirin 990: P40 Pro (ELS)

Please note that other models might have been affected.

Patch

Name Severity CVE Patch
Stack Buffer Overflow in parcel_read_ifaa_cert High CVE-2021-40050 March 2022

Timeline

  • Dec. 13, 2021 - A vulnerability report is sent to Huawei PSIRT.
  • Jan. 12, 2022 - Huawei PSIRT acknowledges the vulnerability report.
  • Mar. 01, 2022 - Huawei PSIRT states that this issue was fixed in the March 2022 update.
  • From Nov. 30, 2022 to Jul, 19 2023 - We exchange regularly about the release of our advisories.