New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 938 link

Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jan 2017
Cc:



Sign in to add a comment

Samsung: Stack buffer overflow in OTP TrustZone trustlet

Reported by laginimaineb@google.com, Sep 13 2016

Issue description

As a part of the KNOX extensions available on Samsung devices, Samsung provides a TrustZone trustlet which allows the generation of OTP tokens.

The tokens themselves are generated in a TrustZone application within the TEE (UID: fffffffff0000000000000000000001e), which can be communicated with using the "OTP" service, published by "otp_server".

Many of the internal commands supported by the trustlet must either unwrap or wrap a token. They do so by calling the functions "otp_unwrap" and "otp_wrap", correspondingly.

Both functions copy the internal token data to a local stack based buffer before attempting to wrap or unwrap it. However, this copy operation is performed using a length field supplied in the user's buffer (the length field's offset changes according to the calling code-path), which is not validated at all.

This means an attacker can supply a length field larger than the stack based buffer, causing the user-controlled token data to overflow the stack buffer. There is no stack cookie mitigation in MobiCore trustlets.

On the device I'm working on (SM-G925V), the "OTP" service can be accessed from any user, including from the SELinux context "untrusted_app". Successfully exploiting this vulnerability should allow a user to elevate privileges to the TrustZone TEE.

I've attached a small PoC which can be used to trigger the overflow. It calls the OTP_GENERATE_OTP command with a large length field which overflows the trustlet's stack. Running it should crash OTP trustlet.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
OneWhoKNOX.java
1.9 KB View Download
Labels: -Restrict-View-Commit Deadline-Exceeded
Status: Started (was: New)
Samsung has started rolling out the fix this month. Deadline exceeded -- automatically derestricting.
Labels: SVE-2016-7173
Status: New (was: Started)
Newest version (G925VVRU4CPK2_G925VVZW4CPK2_VZW) remains unpatched.
Status: Fixed (was: New)
G925VVRU4CPK2_G925VVZW4CPK2_VZW was on the November SMR -- verified fix on G930FXXU1BPLB_G930FUUB1BPL4_UPO.
Summary: Samsung: Stack buffer overflow in OTP TrustZone trustlet (was: Stack buffer overflow in OTP TrustZone trustlet)

Sign in to add a comment