Due to missing input validation, the SCrypto implementation of the drTima secure driver (uuid ffffffffd0000000000000000000000a) was susceptible to a buffer overflow.
The drTima secure driver implements a fully featured crypto engine entirely in software, called SCrypto. The SCrypto APIs are callable by all Trustlets without restriction. SCrypto is in fact the OpenSSL’s FIPS compliant library with an abstraction layer added to facilitate the same APIs for crypto operations that are present between Trustlets and Secure Drivers.
The SCrypto command implements three kinds of functions: hashing (MD function family), encryption/decryption (3DES, AES, RSA), and signing (RSA).
For each type, there are two types of implementations:
- one kind expects input command structures that themselves have fields that will hold the results, so it copies results directly into them,
- the other kind expects pointers to Trustlet memory in the input command structures that are going to be mapped into driver address space separately to copy the results into them.
The buffer overflow vulnerability is in the ciphering command implementation of the second kind.
When the process_cipher_tdea() function executes a request from a Trustlet to perform a 3DES operation, the following are all taken directly from the command structure supplied by the calling Trustlet without validation:
- input buffer pointer and length
- output buffer pointer and length
- encryption key
Therefore, if the supplied output length is shorter than the supplied input length, a buffer overflow is going to occur from the area where the output buffer is mapped into the SCrypto secure driver’s address space. Since 3DES is a symmetric block cipher, the output will be the same as the input length, and since the caller controls the algorithm type, iv, and key, the output written is fully controlled.
Samsung mobile devices with M(6,x) and N(7.0) software.
Samsung security update SMR-NOV-2017 fixed this vulnerability.
Reported: 2017-04-19 Fixed: 2017-11-02