Trusted Firmware-A (TF-A) serves as an essential foundation of ARM-based systems' security. Unfortunately, version 2.10 of the software has been found with a potential out-of-bounds read vulnerability in the SDEI service. The primary purpose of this article is to dissect the issue, analyze the exploit details, and discuss the risks associated with this vulnerability.

Vulnerability: CVE-2023-49100

Trusted Firmware-A (TF-A) before 2.10 contains a potential out-of-bounds read vulnerability in the SDEI service. Notably, this issue arises because the input parameter received in register x1 is not adequately checked when passed to the sdei_interrupt_bind function.

Below, we provide you with a simple snippet of the code referred to above

#include <trusted_firmware_a.h>

void sdei_interrupt_bind(uint64_t parameter_in_x1) {
  ...
  // problematic call in the function
  plat_ic_get_interrupt_type(parameter_in_x1);
  ...
}

The issue occurs when the parameter_in_x1 is not appropriately validated and is passed to a call to plat_ic_get_interrupt_type. Any arbitrary value that passes checks in the plat_ic_is_sgi function remains problematic. Due to this issue, a compromise can occur in the Normal World, particularly in the Linux kernel.

An attacker with root privileges can exploit this vulnerability by issuing arbitrary SMC calls. With this level of control, the attacker can regulate the contents of registers x through x6, which are vital for sending parameters to TF-A. Consequently, out-of-bounds addresses can be read within the context of TF-A (EL3). Here is the exploit detail:

// attacker controlling the content of registers x through x6
attacker_reg_control(x, x1, x2, x3, x4, x5, x6);

It's worth noting that the read value cannot be leaked, as it's never returned to non-secure memory or registers. The attacker, nonetheless, can still crash TF-A, which leads to severe consequences.

Impact and Risks

The root-privileged attacker cannot access the leaked information directly due to the lack of return to non-secure memory or registers. Nonetheless, the attacker can still cause a crash to TF-A. This situation can result in a denial of service or compromise the system's security, given the essential role TF-A plays in ARM-based systems.

For more details on this issue, consider checking out the following references

1. Trusted Firmware-A: TF-A Official Website
2. ARM Security Advisory: CVE-2023-49100 Advisory
3. TF-A Changelog: TF-A 2.10 Changelog

Conclusion

CVE-2023-49100 represents a significant vulnerability in Trusted Firmware-A before version 2.10. Although the potential risks don't cause information leakage, the exploit could still compromise system security by crashing TF-A. Therefore, it's crucial to ensure the proper validation of input parameters and timely apply security patches to avoid such issues in ARM-based systems.

Timeline

Published on: 02/21/2024 16:15:49 UTC
Last modified on: 10/31/2024 20:35:01 UTC