This is an automated email from the ASF dual-hosted git repository.

xiaoxiang781216 pushed a commit to branch releases/13.0
in repository https://gitbox.apache.org/repos/asf/nuttx.git


The following commit(s) were added to refs/heads/releases/13.0 by this push:
     new 2f1da092f2a nuttx/drivers/crypto/pnt/pnt_se05x_api: Minor Overflow in 
Secure Element Driver May Cause a DoS
2f1da092f2a is described below

commit 2f1da092f2a871c0a32ff33ac11c9121b402cd42
Author: Catalin Visinescu <[email protected]>
AuthorDate: Sat Jun 27 00:43:59 2026 -0400

    nuttx/drivers/crypto/pnt/pnt_se05x_api: Minor Overflow in Secure Element 
Driver May Cause a DoS
    
    Invalid data is passed to the NXP Plug & Trust Nano Package used by the
    NuttX secure element driver. If the NXP code is not handling the malformed
    data, a corruption can occur. Alternatively, if the attacker is able to
    point create_signature_args->algorithm in memory at an address that is not
    accessible, a crash can occur.
    
    Applicable to:
    * `signature_algorithm_mapping[create_signature_args->algorithm]`
    * `signature_algorithm_mapping[verify_signature_args->algorithm]`
    
    Signed-off-by: Catalin Visinescu <[email protected]>
---
 drivers/crypto/pnt/pnt_se05x_api.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/crypto/pnt/pnt_se05x_api.c 
b/drivers/crypto/pnt/pnt_se05x_api.c
index aef7471e068..46f2892576d 100644
--- a/drivers/crypto/pnt/pnt_se05x_api.c
+++ b/drivers/crypto/pnt/pnt_se05x_api.c
@@ -308,6 +308,12 @@ int pnt_se05x_create_signature(
 {
   create_signature_args->signature.buffer_content_size =
       create_signature_args->signature.buffer_size;
+
+  if (create_signature_args->algorithm >= SE05X_ALGORITHM_SIZE)
+    {
+      return -EINVAL;
+    }
+
   int result =
       Se05x_API_ECDSASign(
           &(se05x->pnt->session), create_signature_args->key_id,
@@ -327,6 +333,12 @@ int pnt_se05x_verify_signature(
     FAR struct se05x_signature_s *verify_signature_args)
 {
   SE05x_Result_t se05x_result;
+
+  if (verify_signature_args->algorithm >= SE05X_ALGORITHM_SIZE)
+    {
+      return -EINVAL;
+    }
+
   int result =
       Se05x_API_ECDSAVerify(
           &(se05x->pnt->session), verify_signature_args->key_id,

Reply via email to