impalabs space base graphics
Huawei TrustZone TA_SensorInfo Vulnerability
Tags icon Android Tags icon Huawei Tags icon TrustZone Tags icon Trustlet Tags icon Vulnerability
This advisory contains information about the following vulnerabilities:

Multiple TEE_Param Pointer Leaks in TA_InvokeCommandEntryPoint

In the function TA_InvokeCommandEntryPoint, the input parameters types are verified after using them in the logging function SLog. This can lead to the disclosure of sensitive information (e.g. the address of a TEE_Param input buffer by setting paramType to 5) which could then be used to launch further attacks.

TEE_Result TA_InvokeCommandEntryPoint(
        void *sessionContext,
        uint32_t commandID,
        uint32_t paramTypes,
        TEE_Param params[4])
{
    switch (commandID) {
        case 1:
            // [...]
            SLog("%s: FP_SENSOR_INFO_GET_CMD_ID: data:%d\n", "[Trace]",
                params[0].value.a);
            if (paramTypes != 3)
                return 0xFFFF0006;
            // [...]
            break;
        case 2:
            // [...]
            SLog("%s: PRODUCT_INFO_GET_CMD_ID: data:%d\n", "[Trace]",
                params[0].value.a);
            if (paramTypes != 3)
                return 0xFFFF0006;
            // [...]
            break;
        case 3:
            // [...]
            SLog("%s: DISABLE_SENSOR_CMD_ID: data:%d\n", "[Trace]",
                params[0].value.a);
            if (paramTypes != 3)
                return 0xFFFF0006;
            // [...]
            break;
        // [...]
    }
    // [...]
}

This bug can be triggered using a proof of concept code that leaks the address of a TEE param input buffer, 1879060480 == 0x70003000:

[TA_SensorInfo-1] [Trace]: FP_SENSOR_INFO_GET_CMD_ID: data:1879060480
[TA_SensorInfo-1] [Error]: FP_SENSOR_INFO_GET_CMD_ID: Bad expected parameter types
[TA_SensorInfo-1] [Error]: FP_SENSOR_INFO_GET_CMD_ID: get sensor infro failed!

Affected Devices

We have verified that the vulnerability impacted the following device(s):

  • Kirin 990: P40 Pro (ELS)

Please note that other models might have been affected.

Patch

Name Severity CVE Patch
Multiple TEE_Param Pointer Leaks in TA_InvokeCommandEntryPoint Low N/A Fixed

Timeline

  • Jan. 24, 2022 - A vulnerability report is sent to Huawei PSIRT.
  • Mar. 22, 2022 - Huawei PSIRT acknowledges the vulnerability report.
  • From Nov. 30, 2022 to Jul, 19 2023 - We exchange regularly about the release of our advisories.
  • Jul. 03, 2023 - Huawei PSIRT informs us that some of the vulnerabilities are not patched and will be fixed in the August 2023 update.