CVE-2023-49100

Name of the Vulnerable Software and Affected Versions Trusted Firmware-A (TF-A) versions prior to 2.10

Description The issue is related to a potential read out-of-bounds in the SDEI service. The input parameter passed in register x1 is not validated well enough in the function sdei interrupt bind(). This parameter is then passed to a call to plat ic get interrupt type(), and it can be any arbitrary value that passes checks in the function plat ic is sgi(). A compromised Normal World (Linux kernel) can enable a root-privileged attacker to issue arbitrary SMC calls, allowing control over the content of registers x0 through x6, which are used to send parameters to TF-A. Out-of-bounds addresses can be read in the context of TF-A (EL3), but because the read value is never returned to non-secure memory or in registers, no leak is possible. However, an attacker can still crash TF-A.

Recommendations For versions prior to 2.10, update to version 2.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the SDEI service to minimize the risk of exploitation. Additionally, limiting the ability of a compromised Normal World to issue arbitrary SMC calls can help mitigate the risk.