docs(security): security advisory for CVE-2023-49100

Reported-by: Christian Lindenmeier <christian.lindenmeier@fau.de>
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I13fa93a65e5017dae6c837e88cd80bda72d4c2a3

docs/process/security.rst

@@ -73,6 +73,8 @@ Security Advisories
 |  |TFV-10| | Incorrect validation of X.509 certificate extensions can result  |
 |           | in an out-of-bounds read                                         |
 +-----------+------------------------------------------------------------------+
+|  |TFV-11| |  A Malformed SDEI SMC can cause out of bound memory read         |
++-----------+------------------------------------------------------------------+
 
 .. _issue tracker: https://developer.trustedfirmware.org/project/board/1/
 .. _mailing list: https://lists.trustedfirmware.org/mailman3/lists/tf-a.lists.trustedfirmware.org/
@@ -87,6 +89,7 @@ Security Advisories
 .. |TFV-8| replace:: :ref:`Advisory TFV-8 (CVE-2018-19440)`
 .. |TFV-9| replace:: :ref:`Advisory TFV-9 (CVE-2022-23960)`
 .. |TFV-10| replace:: :ref:`Advisory TFV-10 (CVE-2022-47630)`
+.. |TFV-11| replace:: :ref:`Advisory TFV-11 (CVE-2023-49100)`
 
 .. _TrustedFirmware.org security incident process: https://trusted-firmware-docs.readthedocs.io/en/latest/security_center/
 

docs/security_advisories/index.rst

@@ -15,3 +15,4 @@ Security Advisories
    security-advisory-tfv-8.rst
    security-advisory-tfv-9.rst
    security-advisory-tfv-10.rst
+   security-advisory-tfv-11.rst

docs/security_advisories/security-advisory-tfv-11.rst

@@ -0,0 +1,86 @@
+Advisory TFV-11 (CVE-2023-49100)
+================================
+
++----------------+-------------------------------------------------------------+
+| Title          | A Malformed SDEI SMC can cause out of bound memory read.    |
++================+=============================================================+
+| CVE ID         | `CVE-2023-49100`_                                           |
++----------------+-------------------------------------------------------------+
+| Date           | Reported on 12 Oct 2023                                     |
++----------------+-------------------------------------------------------------+
+| Versions       | TF-A releases v1.5 to v2.9                                  |
+| Affected       | LTS releases  lts-v2.8.0 to lts-v2.8.11                     |
++----------------+-------------------------------------------------------------+
+| Configurations | Platforms with SDEI support                                 |
+| Affected       |                                                             |
++----------------+-------------------------------------------------------------+
+| Impact         | Denial of Service (secure world panic)                      |
++----------------+-------------------------------------------------------------+
+| Fix Version    | `a7eff3477`_ "fix(sdei): ensure that interrupt ID is valid" |
++----------------+-------------------------------------------------------------+
+| Credit         | Christian Lindenmeier `@_chli_`_                            |
+|                | Marcel Busch `@0ddc0de`_                                    |
+|                | `IT Security Infrastructures Lab`_                          |
++----------------+-------------------------------------------------------------+
+
+This security advisory describes a vulnerability in the SDEI services, where a
+rogue Non-secure caller invoking a SDEI_INTERRUPT_BIND SMC call with an invalid
+interrupt ID causes out of bound memory read.
+
+SDEI_INTERRUPT_BIND is used to bind any physical interrupt into a normal
+priority SDEI event. The interrupt can be a private peripheral interrupt
+(PPI) or a shared peripheral interrupt (SPI).
+Refer to SDEI_INTERRUPT_BIND in the `SDEI Specification`_ for further details.
+
+The vulnerability exists when the SDEI client passes an interrupt ID which
+is not implemented by the GIC. This will result in a data abort exception
+or a EL3 panic depending on the GIC version used in the system.
+
+- **GICv2 systems:**
+
+.. code:: c
+
+  Call stack:
+        sdei_interrupt_bind(interrupt ID)
+         -> plat_ic_get_interrupt_type(interrupt ID)
+           -> gicv2_get_interrupt_group(interrupt ID)
+             -> gicd_get_igroupr(distributor base, interrupt ID)
+               -> gicd_read_igroupr(distributor base, interrupt ID).
+
+  gicd_read_igroupr() will eventually do a MMIO read to an unimplemented IGROUPR
+  register. Which may cause a data abort or an access to a random EL3 memory region.
+
+- **GICv3 systems:**
+
+.. code:: c
+
+   Call stack:
+        sdei_interrupt_bind(interrupt ID)
+          -> plat_ic_get_interrupt_type(interrupt ID)
+            -> gicv3_get_interrupt_group(interrupt ID, core ID)
+              -> is_sgi_ppi(interrupt ID)
+
+   is_sgi_ppi() will end up in an EL3 panic on encountering an invalid interrupt ID.
+
+The vulnerability is fixed by ensuring that the Interrupt ID provided by the
+SDEI client is a valid PPI or SPI, otherwise return an error code indicating
+that the parameter is invalid.
+
+.. code:: c
+
+   /* Bind an SDEI event to an interrupt */
+   static int sdei_interrupt_bind(unsigned int intr_num)
+   {
+        sdei_ev_map_t *map;
+        bool retry = true, shared_mapping;
+
+        /* Interrupt must be either PPI or SPI */
+        if (!(plat_ic_is_ppi(intr_num) || plat_ic_is_spi(intr_num)))
+              return SDEI_EINVAL;
+
+.. _CVE-2023-49100: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49100
+.. _a7eff3477: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a7eff3477dcf3624c74f5217419b1a27b7ebd2aa
+.. _IT Security Infrastructures Lab: https://www.cs1.tf.fau.de/
+.. _SDEI Specification: https://developer.arm.com/documentation/den0054/latest/
+.. _@_chli_: https://twitter.com/_chli_
+.. _@0ddc0de: https://twitter.com/0ddc0de