Summary

Due to a race condition in input validation, the SCrypto implementation of the drTima secure driver (uuid ffffffffd0000000000000000000000a) was susceptible to a buffer overflow.

The drTima secure driver implements a fully featured crypto engine entirely in software, called SCrypto. The SCrypto APIs are callable by all Trustlets without restriction. SCrypto is in fact the OpenSSL’s FIPS compliant library with an abstraction layer added to facilitate the same APIs for crypto operations that are present between Trustlets and Secure Drivers.

The SCrypto command implements three kinds of functions: hashing (MD function family), encryption/decryption (3DES, AES, RSA), and signing (RSA).

The race condition vulnerability is in the ciphering command implementation of RSA encryption.

When a Trustlet issues an RSA encryption command to the drier, the process_cipher_rsa() function parses the command structure provided by the calling Trustlet, it verifies that the output length is not smaller than the input length. However, this check is done on the command structure that is mapped directly from the Trustlet address space into the driver address space via drApiMapTaskBuffer. When the input validation checks pass, the mapped command structure is passed to the RSA_public_encrypt function to execute the RSA encryption. This function reads the input and output length a second time from the mapped buffer, this time without validating the values that are read, before actually mapping the input and output buffers into the driver address space. As a result, a race condition exists where a maliciously behaving Trrustlet can switch the value of the output buffer length that is supplied in the command structure in shared memory to the driver such that the output of the RSA encryption causes a buffer overflow.

Affected Versions

Samsung mobile devices with M(6,x) and N(7.0) software.

Fix

Samsung security update SMR-NOV-2017 fixed this vulnerability.

Timeline

Reported: 2017-04-24 Fixed: 2017-11-02