This is an automated email from the ASF dual-hosted git repository.
xiaoxiang781216 pushed a commit to branch releases/13.0
in repository https://gitbox.apache.org/repos/asf/nuttx.git
The following commit(s) were added to refs/heads/releases/13.0 by this push:
new 2f1da092f2a nuttx/drivers/crypto/pnt/pnt_se05x_api: Minor Overflow in
Secure Element Driver May Cause a DoS
2f1da092f2a is described below
commit 2f1da092f2a871c0a32ff33ac11c9121b402cd42
Author: Catalin Visinescu <[email protected]>
AuthorDate: Sat Jun 27 00:43:59 2026 -0400
nuttx/drivers/crypto/pnt/pnt_se05x_api: Minor Overflow in Secure Element
Driver May Cause a DoS
Invalid data is passed to the NXP Plug & Trust Nano Package used by the
NuttX secure element driver. If the NXP code is not handling the malformed
data, a corruption can occur. Alternatively, if the attacker is able to
point create_signature_args->algorithm in memory at an address that is not
accessible, a crash can occur.
Applicable to:
* `signature_algorithm_mapping[create_signature_args->algorithm]`
* `signature_algorithm_mapping[verify_signature_args->algorithm]`
Signed-off-by: Catalin Visinescu <[email protected]>
---
drivers/crypto/pnt/pnt_se05x_api.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/crypto/pnt/pnt_se05x_api.c
b/drivers/crypto/pnt/pnt_se05x_api.c
index aef7471e068..46f2892576d 100644
--- a/drivers/crypto/pnt/pnt_se05x_api.c
+++ b/drivers/crypto/pnt/pnt_se05x_api.c
@@ -308,6 +308,12 @@ int pnt_se05x_create_signature(
{
create_signature_args->signature.buffer_content_size =
create_signature_args->signature.buffer_size;
+
+ if (create_signature_args->algorithm >= SE05X_ALGORITHM_SIZE)
+ {
+ return -EINVAL;
+ }
+
int result =
Se05x_API_ECDSASign(
&(se05x->pnt->session), create_signature_args->key_id,
@@ -327,6 +333,12 @@ int pnt_se05x_verify_signature(
FAR struct se05x_signature_s *verify_signature_args)
{
SE05x_Result_t se05x_result;
+
+ if (verify_signature_args->algorithm >= SE05X_ALGORITHM_SIZE)
+ {
+ return -EINVAL;
+ }
+
int result =
Se05x_API_ECDSAVerify(
&(se05x->pnt->session), verify_signature_args->key_id,