impalabs space base graphics
Huawei TrustZone TCIS Vulnerability
This advisory contains information about the following vulnerabilities:

Heap Pointer Leak in AuthAckSlave

The AuthAckSlave function contains a call to the SLog function that leaks a pointer to a heap allocated buffer. If GetAuthSession failed, AuthAckSlave will print the session pointer into the logs (there are accessible using logcat).

int AuthAckSlave(parcel_t *parcel_in, parcel_t *parcel_out) {
    // ...
    session = 0;
    create_tlv_cmd9_in(&tlv_in, 0xFFFF);
    create_tlv_cmd9_out(&tlv_out, 0xFFFF);
    decode_reg_tlv(&tlv_in.header.header, parcel_in);
    // ...
    ret = GetAuthSession(&tlv_in.field_28.value, &session);
    if (ret) {
        SLog("%s: GetAuthSession ret is %x and session data p is %x!!\n\n", "[Error]", ret, session);
    // ...

Affected Devices

We have verified that the vulnerability impacted the following device(s):

  • Kirin 990: P40 Pro (ELS)

Please note that other models might have been affected.


Name Severity CVE Patch
Heap Pointer Leak in AuthAckSlave Low N/A Fixed


  • Dec. 21, 2021 - A vulnerability report is sent to Huawei PSIRT.
  • Jan. 12, 2022 - Huawei PSIRT acknowledges the vulnerability report.
  • From Nov. 30, 2022 to Jul, 19 2023 - We exchange regularly about the release of our advisories.