CVE-2023-41325

Name of the Vulnerable Software and Affected Versions OP-TEE versions 3.20 through 3.21

Description OP-TEE is a Trusted Execution Environment (TEE) designed as a companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. The issue arises in the shdr verify signature function, which is used to verify a TA binary before it is loaded. To verify a signature, memory is allocated for an RSA key using the sw crypto acipher alloc rsa public key function, which attempts to allocate memory from OP-TEE's heap memory. The RSA key consists of an exponent and modulus, represented by variables e and n. However, the allocation of these variables is not atomic, which means it may succeed for e but fail for n. In such cases, the sw crypto acipher alloc rsa public key function will free the memory allocated for e and return as if the allocation failed, but the variable e will still hold the address of the already freed memory. Subsequently, shdr verify signature will attempt to free this memory again, even though it has already been freed, resulting in a double free. A patch is available in version 3.22.

Recommendations For OP-TEE versions 3.20 through 3.21, update to version 3.22 to resolve the issue. At the moment, there are no known workarounds available for these versions.