1*d1eb4e23SManish PandeyAdvisory TFV-11 (CVE-2023-49100) 2*d1eb4e23SManish Pandey================================ 3*d1eb4e23SManish Pandey 4*d1eb4e23SManish Pandey+----------------+-------------------------------------------------------------+ 5*d1eb4e23SManish Pandey| Title | A Malformed SDEI SMC can cause out of bound memory read. | 6*d1eb4e23SManish Pandey+================+=============================================================+ 7*d1eb4e23SManish Pandey| CVE ID | `CVE-2023-49100`_ | 8*d1eb4e23SManish Pandey+----------------+-------------------------------------------------------------+ 9*d1eb4e23SManish Pandey| Date | Reported on 12 Oct 2023 | 10*d1eb4e23SManish Pandey+----------------+-------------------------------------------------------------+ 11*d1eb4e23SManish Pandey| Versions | TF-A releases v1.5 to v2.9 | 12*d1eb4e23SManish Pandey| Affected | LTS releases lts-v2.8.0 to lts-v2.8.11 | 13*d1eb4e23SManish Pandey+----------------+-------------------------------------------------------------+ 14*d1eb4e23SManish Pandey| Configurations | Platforms with SDEI support | 15*d1eb4e23SManish Pandey| Affected | | 16*d1eb4e23SManish Pandey+----------------+-------------------------------------------------------------+ 17*d1eb4e23SManish Pandey| Impact | Denial of Service (secure world panic) | 18*d1eb4e23SManish Pandey+----------------+-------------------------------------------------------------+ 19*d1eb4e23SManish Pandey| Fix Version | `a7eff3477`_ "fix(sdei): ensure that interrupt ID is valid" | 20*d1eb4e23SManish Pandey+----------------+-------------------------------------------------------------+ 21*d1eb4e23SManish Pandey| Credit | Christian Lindenmeier `@_chli_`_ | 22*d1eb4e23SManish Pandey| | Marcel Busch `@0ddc0de`_ | 23*d1eb4e23SManish Pandey| | `IT Security Infrastructures Lab`_ | 24*d1eb4e23SManish Pandey+----------------+-------------------------------------------------------------+ 25*d1eb4e23SManish Pandey 26*d1eb4e23SManish PandeyThis security advisory describes a vulnerability in the SDEI services, where a 27*d1eb4e23SManish Pandeyrogue Non-secure caller invoking a SDEI_INTERRUPT_BIND SMC call with an invalid 28*d1eb4e23SManish Pandeyinterrupt ID causes out of bound memory read. 29*d1eb4e23SManish Pandey 30*d1eb4e23SManish PandeySDEI_INTERRUPT_BIND is used to bind any physical interrupt into a normal 31*d1eb4e23SManish Pandeypriority SDEI event. The interrupt can be a private peripheral interrupt 32*d1eb4e23SManish Pandey(PPI) or a shared peripheral interrupt (SPI). 33*d1eb4e23SManish PandeyRefer to SDEI_INTERRUPT_BIND in the `SDEI Specification`_ for further details. 34*d1eb4e23SManish Pandey 35*d1eb4e23SManish PandeyThe vulnerability exists when the SDEI client passes an interrupt ID which 36*d1eb4e23SManish Pandeyis not implemented by the GIC. This will result in a data abort exception 37*d1eb4e23SManish Pandeyor a EL3 panic depending on the GIC version used in the system. 38*d1eb4e23SManish Pandey 39*d1eb4e23SManish Pandey- **GICv2 systems:** 40*d1eb4e23SManish Pandey 41*d1eb4e23SManish Pandey.. code:: c 42*d1eb4e23SManish Pandey 43*d1eb4e23SManish Pandey Call stack: 44*d1eb4e23SManish Pandey sdei_interrupt_bind(interrupt ID) 45*d1eb4e23SManish Pandey -> plat_ic_get_interrupt_type(interrupt ID) 46*d1eb4e23SManish Pandey -> gicv2_get_interrupt_group(interrupt ID) 47*d1eb4e23SManish Pandey -> gicd_get_igroupr(distributor base, interrupt ID) 48*d1eb4e23SManish Pandey -> gicd_read_igroupr(distributor base, interrupt ID). 49*d1eb4e23SManish Pandey 50*d1eb4e23SManish Pandey gicd_read_igroupr() will eventually do a MMIO read to an unimplemented IGROUPR 51*d1eb4e23SManish Pandey register. Which may cause a data abort or an access to a random EL3 memory region. 52*d1eb4e23SManish Pandey 53*d1eb4e23SManish Pandey- **GICv3 systems:** 54*d1eb4e23SManish Pandey 55*d1eb4e23SManish Pandey.. code:: c 56*d1eb4e23SManish Pandey 57*d1eb4e23SManish Pandey Call stack: 58*d1eb4e23SManish Pandey sdei_interrupt_bind(interrupt ID) 59*d1eb4e23SManish Pandey -> plat_ic_get_interrupt_type(interrupt ID) 60*d1eb4e23SManish Pandey -> gicv3_get_interrupt_group(interrupt ID, core ID) 61*d1eb4e23SManish Pandey -> is_sgi_ppi(interrupt ID) 62*d1eb4e23SManish Pandey 63*d1eb4e23SManish Pandey is_sgi_ppi() will end up in an EL3 panic on encountering an invalid interrupt ID. 64*d1eb4e23SManish Pandey 65*d1eb4e23SManish PandeyThe vulnerability is fixed by ensuring that the Interrupt ID provided by the 66*d1eb4e23SManish PandeySDEI client is a valid PPI or SPI, otherwise return an error code indicating 67*d1eb4e23SManish Pandeythat the parameter is invalid. 68*d1eb4e23SManish Pandey 69*d1eb4e23SManish Pandey.. code:: c 70*d1eb4e23SManish Pandey 71*d1eb4e23SManish Pandey /* Bind an SDEI event to an interrupt */ 72*d1eb4e23SManish Pandey static int sdei_interrupt_bind(unsigned int intr_num) 73*d1eb4e23SManish Pandey { 74*d1eb4e23SManish Pandey sdei_ev_map_t *map; 75*d1eb4e23SManish Pandey bool retry = true, shared_mapping; 76*d1eb4e23SManish Pandey 77*d1eb4e23SManish Pandey /* Interrupt must be either PPI or SPI */ 78*d1eb4e23SManish Pandey if (!(plat_ic_is_ppi(intr_num) || plat_ic_is_spi(intr_num))) 79*d1eb4e23SManish Pandey return SDEI_EINVAL; 80*d1eb4e23SManish Pandey 81*d1eb4e23SManish Pandey.. _CVE-2023-49100: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49100 82*d1eb4e23SManish Pandey.. _a7eff3477: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a7eff3477dcf3624c74f5217419b1a27b7ebd2aa 83*d1eb4e23SManish Pandey.. _IT Security Infrastructures Lab: https://www.cs1.tf.fau.de/ 84*d1eb4e23SManish Pandey.. _SDEI Specification: https://developer.arm.com/documentation/den0054/latest/ 85*d1eb4e23SManish Pandey.. _@_chli_: https://twitter.com/_chli_ 86*d1eb4e23SManish Pandey.. _@0ddc0de: https://twitter.com/0ddc0de 87