From d1eb4e2377c8811db2402e439c302d48a933a207 Mon Sep 17 00:00:00 2001 From: Manish Pandey Date: Tue, 2 Jan 2024 15:35:28 +0000 Subject: [PATCH] docs(security): security advisory for CVE-2023-49100 Reported-by: Christian Lindenmeier Signed-off-by: Manish Pandey Change-Id: I13fa93a65e5017dae6c837e88cd80bda72d4c2a3 --- docs/process/security.rst | 3 + docs/security_advisories/index.rst | 1 + .../security-advisory-tfv-11.rst | 86 +++++++++++++++++++ 3 files changed, 90 insertions(+) create mode 100644 docs/security_advisories/security-advisory-tfv-11.rst diff --git a/docs/process/security.rst b/docs/process/security.rst index bbc939a41..c49ca6e13 100644 --- a/docs/process/security.rst +++ b/docs/process/security.rst @@ -73,6 +73,8 @@ Security Advisories | |TFV-10| | Incorrect validation of X.509 certificate extensions can result | | | in an out-of-bounds read | +-----------+------------------------------------------------------------------+ +| |TFV-11| | A Malformed SDEI SMC can cause out of bound memory read | ++-----------+------------------------------------------------------------------+ .. _issue tracker: https://developer.trustedfirmware.org/project/board/1/ .. _mailing list: https://lists.trustedfirmware.org/mailman3/lists/tf-a.lists.trustedfirmware.org/ @@ -87,6 +89,7 @@ Security Advisories .. |TFV-8| replace:: :ref:`Advisory TFV-8 (CVE-2018-19440)` .. |TFV-9| replace:: :ref:`Advisory TFV-9 (CVE-2022-23960)` .. |TFV-10| replace:: :ref:`Advisory TFV-10 (CVE-2022-47630)` +.. |TFV-11| replace:: :ref:`Advisory TFV-11 (CVE-2023-49100)` .. _TrustedFirmware.org security incident process: https://trusted-firmware-docs.readthedocs.io/en/latest/security_center/ diff --git a/docs/security_advisories/index.rst b/docs/security_advisories/index.rst index c9b0f7819..ad5554672 100644 --- a/docs/security_advisories/index.rst +++ b/docs/security_advisories/index.rst @@ -15,3 +15,4 @@ Security Advisories security-advisory-tfv-8.rst security-advisory-tfv-9.rst security-advisory-tfv-10.rst + security-advisory-tfv-11.rst diff --git a/docs/security_advisories/security-advisory-tfv-11.rst b/docs/security_advisories/security-advisory-tfv-11.rst new file mode 100644 index 000000000..b5063f09e --- /dev/null +++ b/docs/security_advisories/security-advisory-tfv-11.rst @@ -0,0 +1,86 @@ +Advisory TFV-11 (CVE-2023-49100) +================================ + ++----------------+-------------------------------------------------------------+ +| Title | A Malformed SDEI SMC can cause out of bound memory read. | ++================+=============================================================+ +| CVE ID | `CVE-2023-49100`_ | ++----------------+-------------------------------------------------------------+ +| Date | Reported on 12 Oct 2023 | ++----------------+-------------------------------------------------------------+ +| Versions | TF-A releases v1.5 to v2.9 | +| Affected | LTS releases lts-v2.8.0 to lts-v2.8.11 | ++----------------+-------------------------------------------------------------+ +| Configurations | Platforms with SDEI support | +| Affected | | ++----------------+-------------------------------------------------------------+ +| Impact | Denial of Service (secure world panic) | ++----------------+-------------------------------------------------------------+ +| Fix Version | `a7eff3477`_ "fix(sdei): ensure that interrupt ID is valid" | ++----------------+-------------------------------------------------------------+ +| Credit | Christian Lindenmeier `@_chli_`_ | +| | Marcel Busch `@0ddc0de`_ | +| | `IT Security Infrastructures Lab`_ | ++----------------+-------------------------------------------------------------+ + +This security advisory describes a vulnerability in the SDEI services, where a +rogue Non-secure caller invoking a SDEI_INTERRUPT_BIND SMC call with an invalid +interrupt ID causes out of bound memory read. + +SDEI_INTERRUPT_BIND is used to bind any physical interrupt into a normal +priority SDEI event. The interrupt can be a private peripheral interrupt +(PPI) or a shared peripheral interrupt (SPI). +Refer to SDEI_INTERRUPT_BIND in the `SDEI Specification`_ for further details. + +The vulnerability exists when the SDEI client passes an interrupt ID which +is not implemented by the GIC. This will result in a data abort exception +or a EL3 panic depending on the GIC version used in the system. + +- **GICv2 systems:** + +.. code:: c + + Call stack: + sdei_interrupt_bind(interrupt ID) + -> plat_ic_get_interrupt_type(interrupt ID) + -> gicv2_get_interrupt_group(interrupt ID) + -> gicd_get_igroupr(distributor base, interrupt ID) + -> gicd_read_igroupr(distributor base, interrupt ID). + + gicd_read_igroupr() will eventually do a MMIO read to an unimplemented IGROUPR + register. Which may cause a data abort or an access to a random EL3 memory region. + +- **GICv3 systems:** + +.. code:: c + + Call stack: + sdei_interrupt_bind(interrupt ID) + -> plat_ic_get_interrupt_type(interrupt ID) + -> gicv3_get_interrupt_group(interrupt ID, core ID) + -> is_sgi_ppi(interrupt ID) + + is_sgi_ppi() will end up in an EL3 panic on encountering an invalid interrupt ID. + +The vulnerability is fixed by ensuring that the Interrupt ID provided by the +SDEI client is a valid PPI or SPI, otherwise return an error code indicating +that the parameter is invalid. + +.. code:: c + + /* Bind an SDEI event to an interrupt */ + static int sdei_interrupt_bind(unsigned int intr_num) + { + sdei_ev_map_t *map; + bool retry = true, shared_mapping; + + /* Interrupt must be either PPI or SPI */ + if (!(plat_ic_is_ppi(intr_num) || plat_ic_is_spi(intr_num))) + return SDEI_EINVAL; + +.. _CVE-2023-49100: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49100 +.. _a7eff3477: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a7eff3477dcf3624c74f5217419b1a27b7ebd2aa +.. _IT Security Infrastructures Lab: https://www.cs1.tf.fau.de/ +.. _SDEI Specification: https://developer.arm.com/documentation/den0054/latest/ +.. _@_chli_: https://twitter.com/_chli_ +.. _@0ddc0de: https://twitter.com/0ddc0de