Summary In this advisory we are disclosing a heap overflow vulnerability in the MediaTek baseband. The vulnerability can be exploited to gain arbitrary code execution in the context of the baseband runtime. The vulnerability was fixed in 2020 in some models, and received a CVE and more widely deployed fix in 2021.
Vulnerability Details When processing the CSN.1 decoding of the “E-UTRAN Individual Priority Parameters” element, the function rr_decode_eutran_individual_priority_para_description implements a two-depth nested repetition (Repeated Individual E-UTRAN Priority Parameters Description struct and its child element EARFCN).
The outer loop is iterated by checking on the single bit representing the ongoing repetition, and while that equals “1”, a new Repeated Individual E-UTRAN Priority Parameters Description struct is processed.
Summary In this advisory we are disclosing a heap overflow vulnerability in the MediaTek baseband. The vulnerability can be exploited to gain arbitrary code execution in the context of the baseband runtime. The vulnerability was fixed in 2020 in some models, and received a CVE and more widely deployed fix in 2021.
Vulnerability Details When processing the CSN.1 decoding of the “UTRAN (3G) Individual Priority Parameters” element, the function rr_decode_3g_individual_priority_para_description implements a two-depth nested repetition (Repeated Individual UTRAN Priority Parameters Description struct and its child element FDD-ARFCN).
The outer loop is iterated by checking the single bit representing the ongoing repetition, and while that equals “1”, a new Repeated Individual UTRAN Priority Parameters Description struct is processed.
Summary In this advisory we are disclosing a heap overflow vulnerability in the MediaTek baseband. The vulnerability can be exploited to gain arbitrary code execution in the context of the baseband runtime. The vulnerability was fixed in 2020 in some models, and received a CVE and more widely deployed fix in 2021.
Vulnerability Details When processing the CSN.1 decoding of the “E-UTRAN IPP with extended EARFCNs” element, the function rr_decode_eutran_ipp_extended_earfcns implements a two-depth nested repetition (Repeated Individual E-UTRAN PP with extended EARFCNs Description struct and its child element EARFCN_extended).
The outer loop is iterated by checking the single bit representing the ongoing repetition, and while that equals “1”, a new Repeated Individual E-UTRAN PP with extended EARFCNs Description struct is processed.
Summary In this advisory we are disclosing a heap overflow vulnerability in the MediaTek baseband. The vulnerability can be exploited to gain arbitrary code execution in the context of the baseband runtime. The vulnerability was fixed in 2020 in some models, and received a CVE and more widely deployed fix in 2021.
Vulnerability Details When processing the GSM Radio Resource Management Channel Release message, the CSN.1 decoding of the “Cell selection indicator after release of all TCH and SDCCH” information element contains a heap buffer overflow in the function FDD_csrr_decode_redirection_ie. The “Cell selection indicator after release of all TCH and SDCCH” is a type 4 information element with a minimum length of 4 octets.
Summary During the regular boot sequence, Huawei’s BootROM initializes the UFS hardware and the crypto engine in order to load and verify the next stage bootloader image from flash. However, when run in download mode, which maybe used for factory flashing and repair purposes, a connected host can communicate with the BootROM via USB over a serial communication channel.
The basis of the communication is a slightly modified version of XMODEM protocol. The first frame to be sent must be the head chunk, which defines the destination address and the size of the file to be downloaded via the following data chunks.
Summary During the regular boot sequence, Huawei’s BootROM initializes the UFS hardware and the crypto engine in order to load and verify the next stage bootloader image from flash. However, when run in download mode, which maybe used for factory flashing and repair purposes, a connected host can communicate with the BootROM via USB.
In this case, the BootROM acts as a USB1.1 Serial-over-USB gadget, with a single data endpoint. Based on kernel sources, the USB device appears to be a Synopsys DesignWare USB 3.0 controller. Although the implementation of the USB stack in the Linux kernel and the BootROM is quite different (latter is orders of magnitude simpler), the offsets and the register map of the device can be learned from (drivers/usb/dwc3):
Summary Due to a race condition in input validation, the SCrypto implementation of the drTima secure driver (uuid ffffffffd0000000000000000000000a) was susceptible to a buffer overflow.
The drTima secure driver implements a fully featured crypto engine entirely in software, called SCrypto. The SCrypto APIs are callable by all Trustlets without restriction. SCrypto is in fact the OpenSSL’s FIPS compliant library with an abstraction layer added to facilitate the same APIs for crypto operations that are present between Trustlets and Secure Drivers.
The SCrypto command implements three kinds of functions: hashing (MD function family), encryption/decryption (3DES, AES, RSA), and signing (RSA).
The race condition vulnerability is in the ciphering command implementation of RSA decryption.
Summary Due to a race condition in input validation, the SCrypto implementation of the drTima secure driver (uuid ffffffffd0000000000000000000000a) was susceptible to a buffer overflow.
The drTima secure driver implements a fully featured crypto engine entirely in software, called SCrypto. The SCrypto APIs are callable by all Trustlets without restriction. SCrypto is in fact the OpenSSL’s FIPS compliant library with an abstraction layer added to facilitate the same APIs for crypto operations that are present between Trustlets and Secure Drivers.
The SCrypto command implements three kinds of functions: hashing (MD function family), encryption/decryption (3DES, AES, RSA), and signing (RSA).
The race condition vulnerability is in the ciphering command implementation of RSA encryption.
Summary Due to missing input validation, the SCrypto implementation of the drTima secure driver (uuid ffffffffd0000000000000000000000a) was susceptible to a buffer overflow.
The drTima secure driver implements a fully featured crypto engine entirely in software, called SCrypto. The SCrypto APIs are callable by all Trustlets without restriction. SCrypto is in fact the OpenSSL’s FIPS compliant library with an abstraction layer added to facilitate the same APIs for crypto operations that are present between Trustlets and Secure Drivers.
The SCrypto command implements three kinds of functions: hashing (MD function family), encryption/decryption (3DES, AES, RSA), and signing (RSA).
For each type, there are two types of implementations: