catalinv-ncc opened a new issue, #19228:
URL: https://github.com/apache/nuttx/issues/19228

   ### Description / Steps to reproduce the issue
   
   nuttx/drivers/crypto/pnt/pnt_se05x_api: Minor Overflow in Secure Element 
Driver May Cause a DoS
   
   # Impact
   
   Invalid data is passed to the NXP Plug & Trust Nano Package used by the 
NuttX secure element driver. If the NXP code is not handling the malformed 
data, a corruption can occur. Alternatively, if the attacker is able to point 
`create_signature_args->algorithm` in memory at an address that is not 
accessible, a crash can occur.
   
   # Description
   
   The following NuttX snippet shows that there are seven valid entries in the 
algorithm mapping array:
   
   ```c
   static const SE05x_ECSignatureAlgo_t
       signature_algorithm_mapping[SE05X_ALGORITHM_SIZE] =
   {
           kSE05x_ECSignatureAlgo_NA,      kSE05x_ECSignatureAlgo_PLAIN,
           kSE05x_ECSignatureAlgo_SHA,     kSE05x_ECSignatureAlgo_SHA_224,
           kSE05x_ECSignatureAlgo_SHA_256, kSE05x_ECSignatureAlgo_SHA_384,
           kSE05x_ECSignatureAlgo_SHA_512
   };
   ```
   
   Note however that the user space caller can pass any value in 
`create_signature_args->algorithm` (through the `ioctl()` call). Since the 
value is not tested to be less than the maximum allowed of 
`SE05X_ALGORITHM_SIZE (7)`, a memory overread will occur when reading 
`signature_algorithm_mapping[create_signature_args->algorithm]`. An attacker 
that can force a read from a memory location that is read protected or not 
mapped, can consistently cause a kernel crash.
   
   ```c
   int pnt_se05x_create_signature(
       FAR struct se05x_dev_s *se05x,
       FAR struct se05x_signature_s *create_signature_args)
   {
     create_signature_args->signature.buffer_content_size =
         create_signature_args->signature.buffer_size;
     int result =
         Se05x_API_ECDSASign(
             &(se05x->pnt->session), create_signature_args->key_id,
             signature_algorithm_mapping[create_signature_args->algorithm],
             create_signature_args->tbs.buffer,
             create_signature_args->tbs.buffer_content_size,
             create_signature_args->signature.buffer,
             &create_signature_args->signature.buffer_content_size) == SM_OK ? 
0 : -EIO;
     return result;
   }
   ```
   
   A similar problem occurs in `pnt_se05x_verify_signature()`, however the code 
is not added here, for brevity.
   
   # Recommendation
   
   Before the `Se05x_API_ECDSASign()` call add:
   
   ```c
       /* Validate algorithm is within bounds */
       if (create_signature_args->algorithm >= SE05X_ALGORITHM_SIZE)
         {
           /* Invalid algorithm*/
           return -EINVAL;
         }
   ```
   
   ### On which OS does this issue occur?
   
   [OS: Linux]
   
   ### What is the version of your OS?
   
   Ubuntu 24.04
   
   ### NuttX Version
   
   master
   
   ### Issue Architecture
   
   [Arch: all]
   
   ### Issue Area
   
   [Area: Drivers]
   
   ### Host information
   
   _No response_
   
   ### Verification
   
   - [x] I have verified before submitting the report.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to