impalabs space base graphics
Huawei TrustZone IfaaKey_TA Vulnerability
Tags icon Android Tags icon Huawei Tags icon TrustZone Tags icon Trustlet Tags icon Vulnerability
This advisory contains information about the following vulnerabilities:

Parameter Pointers Information Leak in CmdSignWithCert

There is an information leak in the command CmdSignWithCert (ID #0x10013). When a user specifies a length different from 0x100 for the TEE_Param output buffer, the execution reaches a code path that outputs the addresses of the two TEE_Param buffers into the logs (accessible using logcat). Furthermore, it reveals that they are always mapped at the same address.

uint32_t CmdSignWithCert(
    void *sessionContext, uint32_t paramTypes, TEE_Param params[4])
{
    // [...]
    if ( !params[0].memref.size || params[1].memref.size != 0x100 )
    {
        SLog("%s: Params is invalid.\n\n", "CmdSignWithCert");
        SLog(
            "%s: Input %x, output %x, inputSize %d, outputSize %d.\n\n",
            "CmdSignWithCert",
            params[0].memref.buffer,
            params[1].memref.buffer,
            params[0].memref.size,
            params[1].memref.size);
        params[1].memref.size = 0;
        return 0xFFFF0006;
    }
    // [...]

Affected Devices

We have verified that the vulnerability impacted the following device(s):

  • Kirin 990: P40 Pro (ELS)

Please note that other models might have been affected.

Patch

Name Severity CVE Patch
Parameter Pointers Information Leak in CmdSignWithCert Low N/A Fixed

Timeline

  • Jan. 07, 2022 - A vulnerability report is sent to Huawei PSIRT.
  • Mar. 22, 2022 - Huawei PSIRT acknowledges the vulnerability report.
  • From Nov. 30, 2022 to Jul, 19 2023 - We exchange regularly about the release of our advisories.