| Joel Hutton | 9e60563 | 2019-02-25 15:18:56 +0000 | [diff] [blame] | 1 | +----------------+-------------------------------------------------------------+ |
| 2 | | Title | Malformed Firmware Update SMC can result in copy or | |
| 3 | | | authentication of unexpected data in secure memory in | |
| 4 | | | AArch32 state | |
| 5 | +================+=============================================================+ |
| Paul Beesley | 75017f2 | 2019-03-05 17:10:07 +0000 | [diff] [blame] | 6 | | CVE ID | `CVE-2017-9607`_ | |
| Joel Hutton | 9e60563 | 2019-02-25 15:18:56 +0000 | [diff] [blame] | 7 | +----------------+-------------------------------------------------------------+ |
| 8 | | Date | 20 Jun 2017 | |
| 9 | +----------------+-------------------------------------------------------------+ |
| 10 | | Versions | None (only between 22 May 2017 and 14 June 2017) | |
| 11 | | Affected | | |
| 12 | +----------------+-------------------------------------------------------------+ |
| 13 | | Configurations | Platforms that use AArch32 BL1 plus untrusted normal world | |
| 14 | | Affected | firmware update code executing before BL31 | |
| 15 | +----------------+-------------------------------------------------------------+ |
| 16 | | Impact | Copy or authentication of unexpected data in the secure | |
| 17 | | | memory | |
| 18 | +----------------+-------------------------------------------------------------+ |
| 19 | | Fix Version | `Pull Request #979`_ (merged on 14 June 2017) | |
| 20 | +----------------+-------------------------------------------------------------+ |
| 21 | | Credit | ARM | |
| 22 | +----------------+-------------------------------------------------------------+ |
| 23 | |
| 24 | The ``include/lib/utils_def.h`` header file provides the |
| 25 | ``check_uptr_overflow()`` macro, which aims at detecting arithmetic overflows |
| 26 | that may occur when computing the sum of a base pointer and an offset. This |
| 27 | macro evaluates to 1 if the sum of the given base pointer and offset would |
| 28 | result in a value large enough to wrap around, which may lead to unpredictable |
| 29 | behaviour. |
| 30 | |
| 31 | The macro code is at line 52, referring to the version of the code as of `commit |
| 32 | c396b73`_: |
| 33 | |
| 34 | .. code:: c |
| 35 | |
| 36 | /* |
| 37 | * Evaluates to 1 if (ptr + inc) overflows, 0 otherwise. |
| 38 | * Both arguments must be unsigned pointer values (i.e. uintptr_t). |
| 39 | */ |
| 40 | #define check_uptr_overflow(ptr, inc) \ |
| 41 | (((ptr) > UINTPTR_MAX - (inc)) ? 1 : 0) |
| 42 | |
| 43 | This macro does not work correctly for AArch32 images. It fails to detect |
| 44 | overflows when the sum of its two parameters fall into the ``[2^32, 2^64 - 1]`` |
| 45 | range. Therefore, any AArch32 code relying on this macro to detect such integer |
| 46 | overflows is actually not protected. |
| 47 | |
| 48 | The buggy code has been present in ARM Trusted Firmware (TF) since `Pull Request |
| 49 | #678`_ was merged (on 18 August 2016). However, the upstream code was not |
| 50 | vulnerable until `Pull Request #939`_ was merged (on 22 May 2017), which |
| 51 | introduced AArch32 support for the Trusted Board Boot (TBB) feature. Before |
| 52 | then, the ``check_uptr_overflow()`` macro was not used in AArch32 code. |
| 53 | |
| 54 | The vulnerability resides in the BL1 FWU SMC handling code and it may be |
| 55 | exploited when *all* the following conditions apply: |
| 56 | |
| 57 | - Platform code uses TF BL1 with the ``TRUSTED_BOARD_BOOT`` build option. |
| 58 | |
| 59 | - Platform code uses the Firmware Update (FWU) code provided in |
| 60 | ``bl1/bl1_fwu.c``, which is part of the TBB support. |
| 61 | |
| 62 | - TF BL1 is compiled with the ``ARCH=aarch32`` build option. |
| 63 | |
| 64 | In this context, the AArch32 BL1 image might fail to detect potential integer |
| 65 | overflows in the input validation checks while handling the |
| 66 | ``FWU_SMC_IMAGE_COPY`` and ``FWU_SMC_IMAGE_AUTH`` SMCs. |
| 67 | |
| 68 | The ``FWU_SMC_IMAGE_COPY`` SMC handler is designed to copy an image into secure |
| 69 | memory for subsequent authentication. This is implemented by the |
| 70 | ``bl1_fwu_image_copy()`` function, which has the following function prototype: |
| 71 | |
| 72 | .. code:: c |
| 73 | |
| 74 | static int bl1_fwu_image_copy(unsigned int image_id, |
| 75 | uintptr_t image_src, |
| 76 | unsigned int block_size, |
| 77 | unsigned int image_size, |
| 78 | unsigned int flags) |
| 79 | |
| 80 | ``image_src`` is an SMC argument and therefore potentially controllable by an |
| 81 | attacker. A very large 32-bit value, for example ``2^32 -1``, may result in the |
| 82 | sum of ``image_src`` and ``block_size`` overflowing a 32-bit type, which |
| 83 | ``check_uptr_overflow()`` will fail to detect. Depending on its implementation, |
| 84 | the platform-specific function ``bl1_plat_mem_check()`` might get defeated by |
| 85 | these unsanitized values and allow the following memory copy operation, that |
| 86 | would wrap around. This may allow an attacker to copy unexpected data into |
| 87 | secure memory if the memory is mapped in BL1's address space, or cause a fatal |
| 88 | exception if it's not. |
| 89 | |
| 90 | The ``FWU_SMC_IMAGE_AUTH`` SMC handler is designed to authenticate an image |
| 91 | resident in secure memory. This is implemented by the ``bl1_fwu_image_auth()`` |
| 92 | function, which has the following function prototype: |
| 93 | |
| 94 | .. code:: c |
| 95 | |
| 96 | static int bl1_fwu_image_auth(unsigned int image_id, |
| 97 | uintptr_t image_src, |
| 98 | unsigned int image_size, |
| 99 | unsigned int flags) |
| 100 | |
| 101 | Similarly, if an attacker has control over the ``image_src`` or ``image_size`` |
| 102 | arguments through the SMC interface and injects high values whose sum overflows, |
| 103 | they might defeat the ``bl1_plat_mem_check()`` function and make the |
| 104 | authentication module read data outside of what's normally allowed by the |
| 105 | platform code or crash the platform. |
| 106 | |
| 107 | Note that in both cases, a separate vulnerability is required to leverage this |
| 108 | vulnerability; for example a way to get the system to change its behaviour based |
| 109 | on the unexpected secure memory accesses. Moreover, the normal world FWU code |
| 110 | would need to be compromised in order to send a malformed FWU SMC that triggers |
| 111 | an integer overflow. |
| 112 | |
| 113 | The vulnerability is known to affect all ARM standard platforms when enabling |
| 114 | the ``TRUSTED_BOARD_BOOT`` and ``ARCH=aarch32`` build options. Other platforms |
| 115 | may also be affected if they fulfil the above conditions. |
| 116 | |
| Paul Beesley | 75017f2 | 2019-03-05 17:10:07 +0000 | [diff] [blame] | 117 | .. _CVE-2017-9607: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9607 |
| Joel Hutton | 9e60563 | 2019-02-25 15:18:56 +0000 | [diff] [blame] | 118 | .. _commit c396b73: https://github.com/ARM-software/arm-trusted-firmware/commit/c396b73 |
| 119 | .. _Pull Request #678: https://github.com/ARM-software/arm-trusted-firmware/pull/678 |
| 120 | .. _Pull Request #939: https://github.com/ARM-software/arm-trusted-firmware/pull/939 |
| 121 | .. _Pull Request #979: https://github.com/ARM-software/arm-trusted-firmware/pull/979 |