We have identified a new stack buffer overflow vulnerability in Unisoc’s TrustZone implementation. The vulnerability can be exploited to achieve arbitrary code execution in the DRM Trustlet’s runtime. The vulnerability we are disclosing in this advisory affected a wide range of Unisoc devices, including phones on the newest chipsets. The August 2023 issue of the Unisoc Security Bulletin contains this vulnerability as CVE-2023-33913. Vulnerability Details The Trusted Execution Environment (TEE) implementation of Unisoc Tiger chipsets on certain devices uses a modified version of Google’s TEE implementation called Trusty. Trusty is an open-source trusted OS based on Little Kernel. The kernel is running in 64bit mode, however, the trustlets are 32bit ELF images baked into the TOS binary together with the kernel image.

We have identified a new vulnerability in Huawei’s Hypervisor implementation. The vulnerability can be exploited to bypass Huawei’s HKIP (Kernel Integrity Protection) exploit mitigations. The vulnerability we are disclosing in this advisory affected a wide range of Huawei devices, including phones on the newest chipsets. The vendor did not produce a fix/CVE for the reported vulnerability. Vulnerability Details Thew Huawei Hypervisor Execution Environment (HEE) implements additional memory address protection of the Linux Kernel by restricting certain memory accesses using 2nd stage translation. However, the HEE also exposes an api to the Linux Kernel via Hypervisor Calls (HVC) that can be directly used to modify the stage 2 translation tables and therefore remove the protections, bypassing the intented exploit mitigation entirely.