OP-TEE Trusted OS vulnerable to Improper Validation of Array Index in the cleanup_shm_refs function
CVE-2022-46152

8.2HIGH

Key Information:

Vendor: Op-tee
Status: Optee Os
Vendor: CVE Published:; 29 November 2022

What is CVE-2022-46152?

OP-TEE Trusted OS is the secure side implementation of OP-TEE project, a Trusted Execution Environment. Versions prior to 3.19.0, contain an Improper Validation of Array Index vulnerability. The function cleanup_shm_refs() is called by both entry_invoke_command() and entry_open_session(). The commands OPTEE_MSG_CMD_OPEN_SESSION and OPTEE_MSG_CMD_INVOKE_COMMAND can be executed from the normal world via an OP-TEE SMC. This function is not validating the num_params argument, which is only limited to OPTEE_MSG_MAX_NUM_PARAMS (127) in the function get_cmd_buffer(). Therefore, an attacker in the normal world can craft an SMC call that will cause out-of-bounds reading in cleanup_shm_refs and potentially freeing of fake-objects in the function mobj_put(). A normal-world attacker with permission to execute SMC instructions may exploit this flaw. Maintainers believe this problem permits local privilege escalation from the normal world to the secure world. Version 3.19.0 contains a fix for this issue. There are no known workarounds.

Affected Version(s)

optee_os < 3.19.0

References

https://github.com/OP-TEE/optee_os/security/advisories/GH...

https://github.com/OP-TEE/optee_os/commit/728616b28df659c...

https://github.com/OP-TEE/optee_os/blob/c2d449482de098f1c...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 29, 2022
Vulnerability Reserved
Nov 28, 2022

CVE-2022-46152 Data

JSON

Op-tee

What is CVE-2022-46152?

Affected Version(s)

References

CVSS V3.1

Timeline