| Manish Pandey | 9aa0431 | 2024-01-02 15:35:28 +0000 | [diff] [blame] | 1 | Advisory TFV-11 (CVE-2023-49100) |
| 2 | ================================ |
| 3 | |
| 4 | +----------------+-------------------------------------------------------------+ |
| 5 | | Title | A Malformed SDEI SMC can cause out of bound memory read. | |
| 6 | +================+=============================================================+ |
| 7 | | CVE ID | `CVE-2023-49100`_ | |
| 8 | +----------------+-------------------------------------------------------------+ |
| 9 | | Date | Reported on 12 Oct 2023 | |
| 10 | +----------------+-------------------------------------------------------------+ |
| 11 | | Versions | TF-A releases v1.5 to v2.9 | |
| 12 | | Affected | LTS releases lts-v2.8.0 to lts-v2.8.11 | |
| 13 | +----------------+-------------------------------------------------------------+ |
| 14 | | Configurations | Platforms with SDEI support | |
| 15 | | Affected | | |
| 16 | +----------------+-------------------------------------------------------------+ |
| 17 | | Impact | Denial of Service (secure world panic) | |
| 18 | +----------------+-------------------------------------------------------------+ |
| 19 | | Fix Version | `a7eff3477`_ "fix(sdei): ensure that interrupt ID is valid" | |
| 20 | +----------------+-------------------------------------------------------------+ |
| 21 | | Credit | Christian Lindenmeier `@_chli_`_ | |
| 22 | | | Marcel Busch `@0ddc0de`_ | |
| 23 | | | `IT Security Infrastructures Lab`_ | |
| 24 | +----------------+-------------------------------------------------------------+ |
| 25 | |
| 26 | This security advisory describes a vulnerability in the SDEI services, where a |
| 27 | rogue Non-secure caller invoking a SDEI_INTERRUPT_BIND SMC call with an invalid |
| 28 | interrupt ID causes out of bound memory read. |
| 29 | |
| 30 | SDEI_INTERRUPT_BIND is used to bind any physical interrupt into a normal |
| 31 | priority SDEI event. The interrupt can be a private peripheral interrupt |
| 32 | (PPI) or a shared peripheral interrupt (SPI). |
| 33 | Refer to SDEI_INTERRUPT_BIND in the `SDEI Specification`_ for further details. |
| 34 | |
| 35 | The vulnerability exists when the SDEI client passes an interrupt ID which |
| 36 | is not implemented by the GIC. This will result in a data abort exception |
| 37 | or a EL3 panic depending on the GIC version used in the system. |
| 38 | |
| 39 | - **GICv2 systems:** |
| 40 | |
| 41 | .. code:: c |
| 42 | |
| 43 | Call stack: |
| 44 | sdei_interrupt_bind(interrupt ID) |
| 45 | -> plat_ic_get_interrupt_type(interrupt ID) |
| 46 | -> gicv2_get_interrupt_group(interrupt ID) |
| 47 | -> gicd_get_igroupr(distributor base, interrupt ID) |
| 48 | -> gicd_read_igroupr(distributor base, interrupt ID). |
| 49 | |
| 50 | gicd_read_igroupr() will eventually do a MMIO read to an unimplemented IGROUPR |
| 51 | register. Which may cause a data abort or an access to a random EL3 memory region. |
| 52 | |
| 53 | - **GICv3 systems:** |
| 54 | |
| 55 | .. code:: c |
| 56 | |
| 57 | Call stack: |
| 58 | sdei_interrupt_bind(interrupt ID) |
| 59 | -> plat_ic_get_interrupt_type(interrupt ID) |
| 60 | -> gicv3_get_interrupt_group(interrupt ID, core ID) |
| 61 | -> is_sgi_ppi(interrupt ID) |
| 62 | |
| 63 | is_sgi_ppi() will end up in an EL3 panic on encountering an invalid interrupt ID. |
| 64 | |
| 65 | The vulnerability is fixed by ensuring that the Interrupt ID provided by the |
| 66 | SDEI client is a valid PPI or SPI, otherwise return an error code indicating |
| 67 | that the parameter is invalid. |
| 68 | |
| 69 | .. code:: c |
| 70 | |
| 71 | /* Bind an SDEI event to an interrupt */ |
| 72 | static int sdei_interrupt_bind(unsigned int intr_num) |
| 73 | { |
| 74 | sdei_ev_map_t *map; |
| 75 | bool retry = true, shared_mapping; |
| 76 | |
| 77 | /* Interrupt must be either PPI or SPI */ |
| 78 | if (!(plat_ic_is_ppi(intr_num) || plat_ic_is_spi(intr_num))) |
| 79 | return SDEI_EINVAL; |
| 80 | |
| 81 | .. _CVE-2023-49100: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49100 |
| 82 | .. _a7eff3477: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a7eff3477dcf3624c74f5217419b1a27b7ebd2aa |
| 83 | .. _IT Security Infrastructures Lab: https://www.cs1.tf.fau.de/ |
| 84 | .. _SDEI Specification: https://developer.arm.com/documentation/den0054/latest/ |
| 85 | .. _@_chli_: https://twitter.com/_chli_ |
| 86 | .. _@0ddc0de: https://twitter.com/0ddc0de |