CVE-2022-46152

OP-TEE Trusted OS is the secure side implementation of OP-TEE project, a Trusted Execution Environment. Versions prior to 3.19.0, contain an Improper Validation of Array Index vulnerability. The function `cleanup_shm_refs()` is called by both `entry_invoke_command()` and `entry_open_session()`. The commands `OPTEE_MSG_CMD_OPEN_SESSION` and `OPTEE_MSG_CMD_INVOKE_COMMAND` can be executed from the normal world via an OP-TEE SMC. This function is not validating the `num_params` argument, which is only limited to `OPTEE_MSG_MAX_NUM_PARAMS` (127) in the function `get_cmd_buffer()`. Therefore, an attacker in the normal world can craft an SMC call that will cause out-of-bounds reading in `cleanup_shm_refs` and potentially freeing of fake-objects in the function `mobj_put()`. A normal-world attacker with permission to execute SMC instructions may exploit this flaw. Maintainers believe this problem permits local privilege escalation from the normal world to the secure world. Version 3.19.0 contains a fix for this issue. There are no known workarounds.
Configurations

Configuration 1 (hide)

cpe:2.3:o:op-tee:op-tee_os:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:30

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.8
v2 : unknown
v3 : 8.2
References () https://github.com/OP-TEE/optee_os/blob/c2d449482de098f1c894b94f338440e5a327813d/core/tee/entry_std.c#L257 - Third Party Advisory () https://github.com/OP-TEE/optee_os/blob/c2d449482de098f1c894b94f338440e5a327813d/core/tee/entry_std.c#L257 - Third Party Advisory
References () https://github.com/OP-TEE/optee_os/commit/728616b28df659cf0bdde6e58a471f6ef25d023c - Patch, Third Party Advisory () https://github.com/OP-TEE/optee_os/commit/728616b28df659cf0bdde6e58a471f6ef25d023c - Patch, Third Party Advisory
References () https://github.com/OP-TEE/optee_os/security/advisories/GHSA-65w8-6mrg-52g7 - Exploit, Third Party Advisory () https://github.com/OP-TEE/optee_os/security/advisories/GHSA-65w8-6mrg-52g7 - Exploit, Third Party Advisory
References () https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:X/RC:X/CR:M/IR:M/AR:M/MAV:L/MAC:L/MPR:H/MUI:N/MS:C/MC:H/MI:H/MA:H&version=3.1 - Third Party Advisory, US Government Resource () https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:X/RC:X/CR:M/IR:M/AR:M/MAV:L/MAC:L/MPR:H/MUI:N/MS:C/MC:H/MI:H/MA:H&version=3.1 - Third Party Advisory, US Government Resource

02 Dec 2022, 18:45

Type Values Removed Values Added
CPE cpe:2.3:o:op-tee:op-tee_os:*:*:*:*:*:*:*:*
References (MISC) https://github.com/OP-TEE/optee_os/blob/c2d449482de098f1c894b94f338440e5a327813d/core/tee/entry_std.c#L257 - (MISC) https://github.com/OP-TEE/optee_os/blob/c2d449482de098f1c894b94f338440e5a327813d/core/tee/entry_std.c#L257 - Third Party Advisory
References (CONFIRM) https://github.com/OP-TEE/optee_os/security/advisories/GHSA-65w8-6mrg-52g7 - (CONFIRM) https://github.com/OP-TEE/optee_os/security/advisories/GHSA-65w8-6mrg-52g7 - Exploit, Third Party Advisory
References (MISC) https://github.com/OP-TEE/optee_os/commit/728616b28df659cf0bdde6e58a471f6ef25d023c - (MISC) https://github.com/OP-TEE/optee_os/commit/728616b28df659cf0bdde6e58a471f6ef25d023c - Patch, Third Party Advisory
References (MISC) https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:X/RC:X/CR:M/IR:M/AR:M/MAV:L/MAC:L/MPR:H/MUI:N/MS:C/MC:H/MI:H/MA:H&version=3.1 - (MISC) https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:X/RC:X/CR:M/IR:M/AR:M/MAV:L/MAC:L/MPR:H/MUI:N/MS:C/MC:H/MI:H/MA:H&version=3.1 - Third Party Advisory, US Government Resource
CWE CWE-129
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8

29 Nov 2022, 17:57

Type Values Removed Values Added
New CVE

Information

Published : 2022-11-29 17:15

Updated : 2024-11-21 07:30


NVD link : CVE-2022-46152

Mitre link : CVE-2022-46152

CVE.ORG link : CVE-2022-46152


JSON object : View

Products Affected

op-tee

  • op-tee_os
CWE
CWE-129

Improper Validation of Array Index