CVE-2023-41325
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Summary
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.20 and prior to version 3.22, shdr_verify_signature can make a double free. shdr_verify_signature used to verify a TA binary before it is loaded. To verify a signature of it, allocate a memory for RSA key. RSA key allocate function (sw_crypto_acipher_alloc_rsa_public_key) will try to allocate a memory (which is optee’s heap memory). RSA key is consist of exponent and modulus (represent as variable e, n) and it allocation is not atomic way, so it may succeed in e but fail in n. In this case sw_crypto_acipher_alloc_rsa_public_keywill free oneand return as it is failed but variable ‘e’ is remained as already freed memory address .shdr_verify_signaturewill free again that memory (which ise`) even it is freed when it failed allocate RSA key. A patch is available in version 3.22. No known workarounds are available.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OP-TEE | optee_os | >= 3.20, < 3.22 | affected |
Weaknesses
- CWE-415: CWE-415: Double Free
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/OP-TEE/optee_os/security/advisories/GHSA-jrw7-63cq-7vhm
- https://github.com/OP-TEE/optee_os/commit/e2ec831cb07ed0099535c7c140cb6338aa62816a
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://github.com/OP-TEE/optee_os/security/advisories/GHSA-jrw7-63cq-7vhm
- https://github.com/OP-TEE/optee_os/commit/e2ec831cb07ed0099535c7c140cb6338aa62816a
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.