impalabs space base graphics
Huawei TrustZone TCIS Vulnerability
Tags icon Android Tags icon Huawei Tags icon TrustZone Tags icon Trustlet Tags icon Vulnerability
This advisory contains information about the following vulnerabilities:

Heap Pointer Leak in AuthAckSlave

The AuthAckSlave function contains a call to the SLog function that leaks a pointer to a heap allocated buffer. If GetAuthSession failed, AuthAckSlave will print the session pointer into the logs (there are accessible using logcat).

int AuthAckSlave(parcel_t *parcel_in, parcel_t *parcel_out) {
    // ...
    session = 0;
    create_tlv_cmd9_in(&tlv_in, 0xFFFF);
    create_tlv_cmd9_out(&tlv_out, 0xFFFF);
    decode_reg_tlv(&tlv_in.header.header, parcel_in);
    // ...
    ret = GetAuthSession(&tlv_in.field_28.value, &session);
    if (ret) {
        SLog("%s: GetAuthSession ret is %x and session data p is %x!!\n\n", "[Error]", ret, session);
    }
    // ...
}

Affected Devices

We have verified that the vulnerability impacted the following device(s):

  • Kirin 990: P40 Pro (ELS)

Please note that other models might have been affected.

Patch

Name Severity CVE Patch
Heap Pointer Leak in AuthAckSlave Low N/A Fixed

Timeline

  • Dec. 21, 2021 - A vulnerability report is sent to Huawei PSIRT.
  • Jan. 12, 2022 - Huawei PSIRT acknowledges the vulnerability report.
  • From Nov. 30, 2022 to Jul, 19 2023 - We exchange regularly about the release of our advisories.