Asafmod

**Name of the Vulnerable Software and Affected Versions** OP-TEE Trusted OS versions prior to 3.19.0 **Description** The issue concerns an Improper Validation of Array Index vulnerability. The function `cleanup shm refs()` is called by both `entry invoke command()` and `entry open session()`. The commands `OPTEE MSG CMD OPEN SESSION` and `OPTEE MSG CMD INVOKE COMMAND` can be executed from the normal world via an OP-TEE SMC. This function is not validating the `num params` argument, which is only limited to `OPTEE MSG MAX NUM PARAMS` (127) in the function `get cmd buffer()`. Therefore, an attacker in the normal world can craft an SMC call that will cause out-of-bounds reading in `cleanup shm refs` and potentially freeing of fake-objects in the function `mobj put()`. A normal-world attacker with permission to execute SMC instructions may exploit this flaw. Maintainers believe this problem permits local privilege escalation from the normal world to the secure world. **Recommendations** For OP-TEE Trusted OS versions prior to 3.19.0, update to version 3.19.0 to resolve the issue. As a temporary workaround, consider restricting the execution of SMC instructions to prevent potential exploitation. Additionally, avoid using the `num params` argument in the `cleanup shm refs` function until the issue is resolved.