impalabs space base graphics
Blogposts by Alexandre Adamski

All recent Huawei devices ship with a security hypervisor, a defense-in-depth measure designed to enhance kernel security. Unlike other OEMs, Huawei encrypts this privileged piece of software, hence why it has received little to no public scrutiny. With this blog post, we aim to cast light on its inner-workings and provide an in-depth analysis of its implementation, from its entry point to the functions dedicated to protecting the kernel at runtime.

This is a follow-up to our compendium blog post that presented the internals of Samsung's security hypervisor, including all the nitty-gritty details. This extensive knowledge is put to use in today's blog post that explains how we attacked Samsung RKP. After revealing three vulnerabilities leading to the compromise of the hypervisor or of its assurances, we also describe the exploitation paths we came up with. Finally, we take a look at the patches made by Samsung following our report.

The purpose of this blog post is to provide a comprehensive reference of the inner workings of the Samsung RKP. It enables anyone to start poking at this obscure code that is executing at a high privilege level on their device. In addition, a now-fixed vulnerability that allowed getting code execution in Samsung RKP is revealed. It is a good example of a simple mistake that compromises platform security, as the exploit consists of a single call, which is all it takes to make hypervisor memory writable from the kernel.

Advisories by Alexandre Adamski
Calendar icon
HWPSIRT-2021-14294 Heap Pointer Leak in delete_node
HWPSIRT-2021-17285 Memory Disclosure in bc_delete_file
Calendar icon
CVE-2021-40052 Wrong memcpy_s Destination Sizes in CencDecrypt
HWPSIRT-2021-27669 Lack of Locking when Accessing Global Variables
HWPSIRT-2021-11381 Opening Sessions Before Initialization
HWPSIRT-2021-11309 Session IDs Are Pointers
Calendar icon
HWPSIRT-2021-03315 TEE_Param Output Buffer Overflow in TZ_CDRM_KeyPrivateKeyDecrypt
Calendar icon
HWPSIRT-2021-49134 Stack Buffer Overflow in TA_GetPayload
HWPSIRT-2021-68415 Heap Buffer Overflows and Stack Buffer Overreads in TA_DecryptSKWithCBC and TA_DecryptSKWithGCM
HWPSIRT-2021-53459 Heap Buffer Overflow in TA_Gen_Sysintegrity_Jws
HWPSIRT-2021-45148 Param Buffer Overread in TA_GetPayload
HWPSIRT-2021-18937 Param Buffer Overread in TA_GetSysintegritySignStr
HWPSIRT-2021-61962 Param Buffer Overread in TA_DecryptKEK
HWPSIRT-2021-22378 Param Buffer Overread in hkdf_expand
HWPSIRT-2021-18804 Limited Out of Bounds Accesses in CMD_TSS_GET_PKI_CERT and CmdVerifySignature
Calendar icon
CVE-2021-39996 Buffer Overflow in SplitAidStrtok
Calendar icon
CVE-2021-40017 Write of Arbitrary Data to sec_storage_data/PKI/
CVE-2021-40040 Write of Controlled Params Set in generate_keyblob
CVE-2021-46887 Integer Overflow in ber_pop_front
HWPSIRT-2021-26563 Stack Address Leak in cmd_verify_key
HWPSIRT-2021-07329 Integer Overflow in ber_init
HWPSIRT-2021-63468 Logic Issue in verify_root_cert
HWPSIRT-2021-73188 Stack Buffer Overflow in get_soter_cpuid
HWPSIRT-2021-53224 OOB Access in get_soter_cpuid
Calendar icon
CVE-2021-40050 Stack Buffer Overflow in parcel_read_ifaa_cert
Calendar icon
HWPSIRT-2022-07574 Parameter Pointers Information Leak in CmdSignWithCert
Calendar icon
CVE-2021-40020 OOB Access in CmdInitObjectWithKeys
Calendar icon
HWPSIRT-2022-12799 Incomplete Caller Verification
HWPSIRT-2022-38244 Stack Buffer Overflow in GetCardALLByIndexV2
HWPSIRT-2022-13974 Stack Buffer Overflow in genOffPayCodeSeedParam
HWPSIRT-2022-57851 Stack Buffer Overflows in decodeCRSCert
HWPSIRT-2022-20808 Heap Buffer Overflow in initPayCodeHead
HWPSIRT-2022-94156 Heap Buffer Overread in isSamePayCodeSeed
HWPSIRT-2022-46681 Heap Buffer Overread in transferV1ToV2Paycode
HWPSIRT-2022-67754 OOB Accesses in CmdWalletGenPayCodeSeedParam
HWPSIRT-2022-31335 OOB Accesses in CmdWalletSavePayCodeSeed
HWPSIRT-2022-39460 OOB Accesses in CmdWalletSetPayCodeAuthInfo
HWPSIRT-2022-45266 OOB Accesses in CmdWalletGetTrafficPayCode
HWPSIRT-2022-28524 OOB Accesses in CmdWalletGetFinancePayCode
HWPSIRT-2022-82607 OOB Accesses in CmdWalletVerifyPayCodeAuthInfo
HWPSIRT-2022-61804 OOB Access in SendSetStatusCmd
HWPSIRT-2022-31800 Param Buffer Overflow in CmdWalletGetCardByIndex
HWPSIRT-2022-70865 Param Buffer Overreads in CmdWalletApplyEnableAndDisableCardToI2C
HWPSIRT-2022-85843 Param Buffer Overreads in CmdWalletActivateCardByBiometricsId
HWPSIRT-2022-55550 Param Buffer Overreads in CmdWalletVerifySwipeCard
Calendar icon
HWPSIRT-2022-25279 Multiple TEE_Param Pointer Leaks in TA_InvokeCommandEntryPoint
Calendar icon
CVE-2022-46316 Param Buffer Overflow in TA_fp_tee_get_indices
HWPSIRT-2022-16269 Code Pointer Leak in lib_sync_sensor_info
HWPSIRT-2022-64748 Lack of Locking when Accessing Global Variables
Calendar icon
CVE-2021-40023 Generic ASLR Bypass Using TALoader's Information
Calendar icon
CVE-2021-46813 Missing Length Checks in GetOCSPResponse
CVE-2021-46813 Missing Length and Offset Checks in NOVEL_CHDRM_Copyordecrypt
CVE-2021-46813 Missing Length Checks in NOVEL_CHDRM_SetDRMCertData
CVE-2021-40062 Missing Length Check in DRM_Secure_Store_Read
CVE-2021-40056 Missing Length Check in getvaluewithtypeandindex
CVE-2021-40057 Missing Length Checks in Secure_Store_EncryptWrite and Secure_Store_PlainWrite
CVE-2021-40058 Missing Length Checks in NOVEL_CHDRM_SetRegisterResData
CVE-2021-40060 Missing / Faulty Length Checks When Calling NOVEL_CHDRMw_MemCompare
CVE-2021-46813 Integer Underflow in find_tlv_data
CVE-2022-39003 OOB Accesses in getvaluewithtypeandindex
HWPSIRT-2022-77114 Unchecked Malloc Return Values
HWPSIRT-2021-84851 Missing Length Check in pack_tlv_data
HWPSIRT-2021-40855 Missing Length Checks After Calling unpack_tlv_data
HWPSIRT-2021-36582 Stack / Heap / BSS Pointer Leaks in DRM_AES_Encrypt_xxx
HWPSIRT-2021-78954 Integer Underflow in unpack_tlv_data
Calendar icon
HWPSIRT-2021-41488 Heap Pointer Leak in AuthAckSlave
Calendar icon
CVE-2021-40028 OOB Access in the Encap_tlv_for_hash_zip Function
CVE-2021-40018 OOB Access in the get_sec_image_zip Function
CVE-2021-40021 Parameter Pointers Information Leak in the check_xxx_params Functions
CVE-2021-40025 Heap Pointers Information Leak in the eid_malloc, eid_free, malloc_eid_buffer and free_eid_buffer Functions
Calendar icon
HWPSIRT-2021-67370 Stack Buffer Overflow in UnwrapKeyHandle
Calendar icon
CVE-2022-48479 Unverified Param Types in FI_onExec
CVE-2022-48478 OOB Write in HiAiManager::loadModelFromBuffers
CVE-2022-48480 Integer Overflow in FR_TA_CoAuthSignImg
HWPSIRT-2022-47870 Param OOB Access in FI_onExec
HWPSIRT-2022-11475 Null Pointer Dereference in MsgController::_sendMsg
HWPSIRT-2022-62681 Physical Address Leak in the Trustlet Function FR_TA_CoAuthSignImg
HWPSIRT-2022-97884 Param Pointer Leak in the Trustlet Function FR_GetHwAuthToken
HWPSIRT-2022-28444 Param Pointer Leaks in the Trustlet Function FR_ActiveUserSet
HWPSIRT-2022-35074 ION Virtual Address Leak in the Trustlet Function FR_HashCheck
HWPSIRT-2022-75731 Param Pointer Leak in the Trustlet Function FR_GetResultAuthToken
HWPSIRT-2022-84671 Heap Pointer Leak in the Trustlet Function FR_LoadDataBase
HWPSIRT-2022-37694 Heap Pointer Leak in the Trustlet Function FR_FaceFeatureAdd
HWPSIRT-2022-25260 Param Pointer Leaks in the Trustlet Function FR_SetFidoParam
HWPSIRT-2022-80068 Stack Pointer Leak in the Trustlet Function FidoWrapUvt
HWPSIRT-2022-65649 Heap Pointer Leaks in the Trustlet Function FR_UnwrapFeatureData
HWPSIRT-2022-88030 Heap Pointer Leak in the Library Function AlgoManager::createAlgo
HWPSIRT-2022-84485 ION Virtual Memory Address Leak in the Library Function HiAiManager::loadModelFromBuffers
HWPSIRT-2022-14567 ION Physical Memory Leak in the Library Function HiAiManager::runModelInMainThread
HWPSIRT-2022-59214 ION Virtual Memory Address Leak in the Library Function HiAiManager::loadModelFromBuffers
HWPSIRT-2022-77892 ION Virtual Memory Address Leak in the Library Function MemoryManager::alloc
HWPSIRT-2022-10579 ION Virtual Memory Address Leak in the Library Function MemoryManager::free
HWPSIRT-2022-75307 Pointer Leak in the Library Function MsgController::agentLock
HWPSIRT-2022-51942 Heap Pointer Leak in the Library Function CImageBufferAllocator::endAllocatation
HWPSIRT-2022-95703 Heap Pointer Leak in the Library Function CImageBufferAllocator::endAllocatation
HWPSIRT-2022-32077 Heap Pointer Leak in the Library Function CImageBufferAllocator::beginAllocatation
HWPSIRT-2022-41496 Pointer Leak in the Library Function CImageBuffer::delStride
HWPSIRT-2022-32043 Heap Pointer Leak in the Library Function CImageBuffer::fillImage
HWPSIRT-2022-66227 Pointer Leak in the Library Function CImageBuffer::attachBuffer
HWPSIRT-2022-37311 Pointer Leak in the Library Function ImageSourceBase::clear
HWPSIRT-2022-75322 Heap Pointer Leaks in the Library Function PipelineBuilder::createPipeline
HWPSIRT-2022-43439 ION Virtual Addresses Leaks in the Library Function STFaceidAlgo::loadCpuModel
HWPSIRT-2022-24846 ION Virtual Address and Heap Pointer Leak in the Library Function hw_face_quality_estimation
HWPSIRT-2022-13888 Heap Pointer Leaks in the Library Function buffered_free
HWPSIRT-2022-75166 ION Virtual Memory Address Leak in the Library Functionst_tee_initialize
HWPSIRT-2022-07617 Heap Pointer Leak in the Library Function st_tee_detect
HWPSIRT-2022-78044 Heap Pointer Leak in the Library Function st_tee_extract
HWPSIRT-2022-97971 Stack Pointer and ION Virtual Address Leaks in the Library Function st_tee_create_handle
HWPSIRT-2022-88935 Heap Pointer Leaks in the Library Function gray16to8_hist
HWPSIRT-2022-21060 Virtual Address Leak in the Library Function HIAI_TensorBuffer_createFromTensorDesc
HWPSIRT-2022-65800 ION Virtual Memory Address Leak in the Library Function HIAI_ModelManager_loadFromModelBuffers
HWPSIRT-2021-29098 Stack and Heap Pointer Leak in FR_AloEnroll
HWPSIRT-2021-28201 Faulty check in GetPlainDataWhenEnroll
Calendar icon
CVE-2021-46881 Heap Buffer Overflow in MDrm_TA_CMD_OEMCrypto_LoadKeys
CVE-2021-40034 Heap Buffer Overflow in MDrm_TA_CMD_OEMCrypto_LoadEntitledContentKeys
CVE-2021-46882 Heap Buffer Overflow in MDrm_TA_CMD_OEMCrypto_RefreshKeys
CVE-2021-46883 Heap Buffer Overflow in MDrm_TA_OEMCryptoUsageTable_LoadUsageTableHeader
CVE-2021-46884 OOB Write access in MDrm_TA_CMD_OEMCrypto_CopyBuffer
CVE-2021-46885 OOB Read Access in MDrm_TA_CMD_Provision_GetRequest
CVE-2021-46886 OOB Read Access in MDrm_TA_CMD_OEMCrypto_RewrapDeviceRSAKey30
CVE-2021-46814 OOB Read Access in MDrm_TA_CMD_OEMCrypto_DecryptCENC
Calendar icon
CVE-2021-40036 OOB Access in DecryptData
CVE-2021-40010 Heap Buffer Overflow in SendTaGmmBuf
CVE-2021-40027 OOB Access in restore
CVE-2021-40032 Information Leak in compare
CVE-2021-40014 Information Leak in restore
HWPSIRT-2021-56065 Null Pointer Dereference in CheckModelHash
Calendar icon
CVE-2021-40022 Missing Input Parameters Check in InterfaceRead
Calendar icon
CVE-2021-39997 IsGmmModelLoaded OOB Access
CVE-2021-39997 InitGetScoreParams OOB Access
CVE-2021-39997 GmmGetScore OOB Access
HWPSIRT-2022-85498 OOB Access in LTopProb
HWPSIRT-2022-62034 Param Buffer Overflow in XvectorLoadModels
HWPSIRT-2022-44993 Param Buffer Overread in InitGetScoreParams
Calendar icon
HWPSIRT-2022-46490 Limited Arbitrary Function Call in TA_InvokeCommandEntryPoint
HWPSIRT-2022-09056 Integer Overflows in VSIM_CmdSaveAllMaincard
HWPSIRT-2022-21738 Stack Buffer Overflows in VsimSaveOpiMainParam, VsimSaveOpiSlaveParam and VsimModemSendDhVsimData
HWPSIRT-2022-87812 Param Buffer Overread in GenerateMasterMsg
HWPSIRT-2022-67695 Param Buffer Overflow in VsimEncryptoString
Calendar icon
CVE-2023-27326 Directory Traversal Arbitrary File Write Vulnerability
Calendar icon
CVE-2021-39994 SMC SE Factory Check OOB Access
CVE-2021-22437 SMC MNTN OOB Access (Integer Overflow)
CVE-2021-39993 SMC MNTN OOB Access (Shared Control Structure)
Calendar icon
CVE-2021-39979 OOB Accesses Using the Logging System