docs/security_advisories/security-advisory-tfv-4.rst - filogic/atf - Gitiles

 Advisory TFV-4 (CVE-2017-9607)
 ==============================

 +----------------+-------------------------------------------------------------+
 | Title          | Malformed Firmware Update SMC can result in copy or         |
 |                | authentication of unexpected data in secure memory in       |
 |                | AArch32 state                                               |
 +================+=============================================================+
 | CVE ID         | `CVE-2017-9607`_                                            |
 +----------------+-------------------------------------------------------------+
 | Date           | 20 Jun 2017                                                 |
 +----------------+-------------------------------------------------------------+
 | Versions       | None (only between 22 May 2017 and 14 June 2017)            |
 | Affected       |                                                             |
 +----------------+-------------------------------------------------------------+
 | Configurations | Platforms that use AArch32 BL1 plus untrusted normal world  |
 | Affected       | firmware update code executing before BL31                  |
 +----------------+-------------------------------------------------------------+
 | Impact         | Copy or authentication of unexpected data in the secure     |
 |                | memory                                                      |
 +----------------+-------------------------------------------------------------+
 | Fix Version    | `Pull Request #979`_ (merged on 14 June 2017)               |
 +----------------+-------------------------------------------------------------+
 | Credit         | ARM                                                         |
 +----------------+-------------------------------------------------------------+

 The ``include/lib/utils_def.h`` header file provides the
 ``check_uptr_overflow()`` macro, which aims at detecting arithmetic overflows
 that may occur when computing the sum of a base pointer and an offset. This
 macro evaluates to 1 if the sum of the given base pointer and offset would
 result in a value large enough to wrap around, which may lead to unpredictable
 behaviour.

 The macro code is at line 52, referring to the version of the code as of `commit
 c396b73`_:

 .. code:: c

     /*
      * Evaluates to 1 if (ptr + inc) overflows, 0 otherwise.
      * Both arguments must be unsigned pointer values (i.e. uintptr_t).
      */
     #define check_uptr_overflow(ptr, inc)       \
         (((ptr) > UINTPTR_MAX - (inc)) ? 1 : 0)

 This macro does not work correctly for AArch32 images. It fails to detect
 overflows when the sum of its two parameters fall into the ``[2^32, 2^64 - 1]``
 range. Therefore, any AArch32 code relying on this macro to detect such integer
 overflows is actually not protected.

 The buggy code has been present in ARM Trusted Firmware (TF) since `Pull Request
 #678`_ was merged (on 18 August 2016). However, the upstream code was not
 vulnerable until `Pull Request #939`_ was merged (on 22 May 2017), which
 introduced AArch32 support for the Trusted Board Boot (TBB) feature. Before
 then, the ``check_uptr_overflow()`` macro was not used in AArch32 code.

 The vulnerability resides in the BL1 FWU SMC handling code and it may be
 exploited when *all* the following conditions apply:

 - Platform code uses TF BL1 with the ``TRUSTED_BOARD_BOOT`` build option.

 - Platform code uses the Firmware Update (FWU) code provided in
   ``bl1/bl1_fwu.c``, which is part of the TBB support.

 - TF BL1 is compiled with the ``ARCH=aarch32`` build option.

 In this context, the AArch32 BL1 image might fail to detect potential integer
 overflows in the input validation checks while handling the
 ``FWU_SMC_IMAGE_COPY`` and ``FWU_SMC_IMAGE_AUTH`` SMCs.

 The ``FWU_SMC_IMAGE_COPY`` SMC handler is designed to copy an image into secure
 memory for subsequent authentication. This is implemented by the
 ``bl1_fwu_image_copy()`` function, which has the following function prototype:

 .. code:: c

      static int bl1_fwu_image_copy(unsigned int image_id,
                         uintptr_t image_src,
                         unsigned int block_size,
                         unsigned int image_size,
                         unsigned int flags)

 ``image_src`` is an SMC argument and therefore potentially controllable by an
 attacker. A very large 32-bit value, for example ``2^32 -1``, may result in the
 sum of ``image_src`` and ``block_size`` overflowing a 32-bit type, which
 ``check_uptr_overflow()`` will fail to detect.  Depending on its implementation,
 the platform-specific function ``bl1_plat_mem_check()`` might get defeated by
 these unsanitized values and allow the following memory copy operation, that
 would wrap around.  This may allow an attacker to copy unexpected data into
 secure memory if the memory is mapped in BL1's address space, or cause a fatal
 exception if it's not.

 The ``FWU_SMC_IMAGE_AUTH`` SMC handler is designed to authenticate an image
 resident in secure memory. This is implemented by the ``bl1_fwu_image_auth()``
 function, which has the following function prototype:

 .. code:: c

     static int bl1_fwu_image_auth(unsigned int image_id,
                         uintptr_t image_src,
                         unsigned int image_size,
                         unsigned int flags)

 Similarly, if an attacker has control over the ``image_src`` or ``image_size``
 arguments through the SMC interface and injects high values whose sum overflows,
 they might defeat the ``bl1_plat_mem_check()`` function and make the
 authentication module read data outside of what's normally allowed by the
 platform code or crash the platform.

 Note that in both cases, a separate vulnerability is required to leverage this
 vulnerability; for example a way to get the system to change its behaviour based
 on the unexpected secure memory accesses.  Moreover, the normal world FWU code
 would need to be compromised in order to send a malformed FWU SMC that triggers
 an integer overflow.

 The vulnerability is known to affect all ARM standard platforms when enabling
 the ``TRUSTED_BOARD_BOOT`` and ``ARCH=aarch32`` build options.  Other platforms
 may also be affected if they fulfil the above conditions.

 .. _CVE-2017-9607: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9607
 .. _commit c396b73: https://github.com/ARM-software/arm-trusted-firmware/commit/c396b73
 .. _Pull Request #678: https://github.com/ARM-software/arm-trusted-firmware/pull/678
 .. _Pull Request #939: https://github.com/ARM-software/arm-trusted-firmware/pull/939
 .. _Pull Request #979: https://github.com/ARM-software/arm-trusted-firmware/pull/979
	Advisory TFV-4 (CVE-2017-9607)
	==============================

	+----------------+-------------------------------------------------------------+
	\| Title \| Malformed Firmware Update SMC can result in copy or \|
	\| \| authentication of unexpected data in secure memory in \|
	\| \| AArch32 state \|
	+================+=============================================================+
	\| CVE ID \| `CVE-2017-9607`_ \|
	+----------------+-------------------------------------------------------------+
	\| Date \| 20 Jun 2017 \|
	+----------------+-------------------------------------------------------------+
	\| Versions \| None (only between 22 May 2017 and 14 June 2017) \|
	\| Affected \| \|
	+----------------+-------------------------------------------------------------+
	\| Configurations \| Platforms that use AArch32 BL1 plus untrusted normal world \|
	\| Affected \| firmware update code executing before BL31 \|
	+----------------+-------------------------------------------------------------+
	\| Impact \| Copy or authentication of unexpected data in the secure \|
	\| \| memory \|
	+----------------+-------------------------------------------------------------+
	\| Fix Version \| `Pull Request #979`_ (merged on 14 June 2017) \|
	+----------------+-------------------------------------------------------------+
	\| Credit \| ARM \|
	+----------------+-------------------------------------------------------------+

	The ``include/lib/utils_def.h`` header file provides the
	``check_uptr_overflow()`` macro, which aims at detecting arithmetic overflows
	that may occur when computing the sum of a base pointer and an offset. This
	macro evaluates to 1 if the sum of the given base pointer and offset would
	result in a value large enough to wrap around, which may lead to unpredictable
	behaviour.

	The macro code is at line 52, referring to the version of the code as of `commit
	c396b73`_:

	.. code:: c

	/*
	* Evaluates to 1 if (ptr + inc) overflows, 0 otherwise.
	* Both arguments must be unsigned pointer values (i.e. uintptr_t).
	*/
	#define check_uptr_overflow(ptr, inc) \
	(((ptr) > UINTPTR_MAX - (inc)) ? 1 : 0)

	This macro does not work correctly for AArch32 images. It fails to detect
	overflows when the sum of its two parameters fall into the ``[2^32, 2^64 - 1]``
	range. Therefore, any AArch32 code relying on this macro to detect such integer
	overflows is actually not protected.

	The buggy code has been present in ARM Trusted Firmware (TF) since `Pull Request
	#678`_ was merged (on 18 August 2016). However, the upstream code was not
	vulnerable until `Pull Request #939`_ was merged (on 22 May 2017), which
	introduced AArch32 support for the Trusted Board Boot (TBB) feature. Before
	then, the ``check_uptr_overflow()`` macro was not used in AArch32 code.

	The vulnerability resides in the BL1 FWU SMC handling code and it may be
	exploited when all the following conditions apply:

	- Platform code uses TF BL1 with the ``TRUSTED_BOARD_BOOT`` build option.

	- Platform code uses the Firmware Update (FWU) code provided in
	``bl1/bl1_fwu.c``, which is part of the TBB support.

	- TF BL1 is compiled with the ``ARCH=aarch32`` build option.

	In this context, the AArch32 BL1 image might fail to detect potential integer
	overflows in the input validation checks while handling the
	``FWU_SMC_IMAGE_COPY`` and ``FWU_SMC_IMAGE_AUTH`` SMCs.

	The ``FWU_SMC_IMAGE_COPY`` SMC handler is designed to copy an image into secure
	memory for subsequent authentication. This is implemented by the
	``bl1_fwu_image_copy()`` function, which has the following function prototype:

	.. code:: c

	static int bl1_fwu_image_copy(unsigned int image_id,
	uintptr_t image_src,
	unsigned int block_size,
	unsigned int image_size,
	unsigned int flags)

	``image_src`` is an SMC argument and therefore potentially controllable by an
	attacker. A very large 32-bit value, for example ``2^32 -1``, may result in the
	sum of ``image_src`` and ``block_size`` overflowing a 32-bit type, which
	``check_uptr_overflow()`` will fail to detect. Depending on its implementation,
	the platform-specific function ``bl1_plat_mem_check()`` might get defeated by
	these unsanitized values and allow the following memory copy operation, that
	would wrap around. This may allow an attacker to copy unexpected data into
	secure memory if the memory is mapped in BL1's address space, or cause a fatal
	exception if it's not.

	The ``FWU_SMC_IMAGE_AUTH`` SMC handler is designed to authenticate an image
	resident in secure memory. This is implemented by the ``bl1_fwu_image_auth()``
	function, which has the following function prototype:

	.. code:: c

	static int bl1_fwu_image_auth(unsigned int image_id,
	uintptr_t image_src,
	unsigned int image_size,
	unsigned int flags)

	Similarly, if an attacker has control over the ``image_src`` or ``image_size``
	arguments through the SMC interface and injects high values whose sum overflows,
	they might defeat the ``bl1_plat_mem_check()`` function and make the
	authentication module read data outside of what's normally allowed by the
	platform code or crash the platform.

	Note that in both cases, a separate vulnerability is required to leverage this
	vulnerability; for example a way to get the system to change its behaviour based
	on the unexpected secure memory accesses. Moreover, the normal world FWU code
	would need to be compromised in order to send a malformed FWU SMC that triggers
	an integer overflow.

	The vulnerability is known to affect all ARM standard platforms when enabling
	the ``TRUSTED_BOARD_BOOT`` and ``ARCH=aarch32`` build options. Other platforms
	may also be affected if they fulfil the above conditions.

	.. _CVE-2017-9607: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9607
	.. _commit c396b73: https://github.com/ARM-software/arm-trusted-firmware/commit/c396b73
	.. _Pull Request #678: https://github.com/ARM-software/arm-trusted-firmware/pull/678
	.. _Pull Request #939: https://github.com/ARM-software/arm-trusted-firmware/pull/939
	.. _Pull Request #979: https://github.com/ARM-software/arm-trusted-firmware/pull/979