CVE-2022-46152

Name of the Vulnerable Software and Affected Versions OP-TEE Trusted OS versions prior to 3.19.0

Description The issue concerns an Improper Validation of Array Index vulnerability. The function cleanup shm refs() is called by both entry invoke command() and entry open session(). The commands OPTEE MSG CMD OPEN SESSION and OPTEE MSG CMD INVOKE COMMAND can be executed from the normal world via an OP-TEE SMC. This function is not validating the num params argument, which is only limited to OPTEE MSG MAX NUM PARAMS (127) in the function get cmd buffer(). Therefore, an attacker in the normal world can craft an SMC call that will cause out-of-bounds reading in cleanup shm refs and potentially freeing of fake-objects in the function mobj put(). A normal-world attacker with permission to execute SMC instructions may exploit this flaw. Maintainers believe this problem permits local privilege escalation from the normal world to the secure world.

Recommendations For OP-TEE Trusted OS versions prior to 3.19.0, update to version 3.19.0 to resolve the issue. As a temporary workaround, consider restricting the execution of SMC instructions to prevent potential exploitation. Additionally, avoid using the num params argument in the cleanup shm refs function until the issue is resolved.