Description / Steps to reproduce the issue
nuttx/drivers/crypto/pnt/pnt_se05x_api: Minor Overflow in Secure Element Driver May Cause a DoS
Impact
Invalid data is passed to the NXP Plug & Trust Nano Package used by the NuttX secure element driver. If the NXP code is not handling the malformed data, a corruption can occur. Alternatively, if the attacker is able to point create_signature_args->algorithm in memory at an address that is not accessible, a crash can occur.
Description
The following NuttX snippet shows that there are seven valid entries in the algorithm mapping array:
static const SE05x_ECSignatureAlgo_t
signature_algorithm_mapping[SE05X_ALGORITHM_SIZE] =
{
kSE05x_ECSignatureAlgo_NA, kSE05x_ECSignatureAlgo_PLAIN,
kSE05x_ECSignatureAlgo_SHA, kSE05x_ECSignatureAlgo_SHA_224,
kSE05x_ECSignatureAlgo_SHA_256, kSE05x_ECSignatureAlgo_SHA_384,
kSE05x_ECSignatureAlgo_SHA_512
};Note however that the user space caller can pass any value in create_signature_args->algorithm (through the ioctl() call). Since the value is not tested to be less than the maximum allowed of SE05X_ALGORITHM_SIZE (7), a memory overread will occur when reading signature_algorithm_mapping[create_signature_args->algorithm]. An attacker that can force a read from a memory location that is read protected or not mapped, can consistently cause a kernel crash.
int pnt_se05x_create_signature(
FAR struct se05x_dev_s *se05x,
FAR struct se05x_signature_s *create_signature_args)
{
create_signature_args->signature.buffer_content_size =
create_signature_args->signature.buffer_size;
int result =
Se05x_API_ECDSASign(
&(se05x->pnt->session), create_signature_args->key_id,
signature_algorithm_mapping[create_signature_args->algorithm],
create_signature_args->tbs.buffer,
create_signature_args->tbs.buffer_content_size,
create_signature_args->signature.buffer,
&create_signature_args->signature.buffer_content_size) == SM_OK ? 0 : -EIO;
return result;
}A similar problem occurs in pnt_se05x_verify_signature(), however the code is not added here, for brevity.
Recommendation
Before the Se05x_API_ECDSASign() call add:
/* Validate algorithm is within bounds */
if (create_signature_args->algorithm >= SE05X_ALGORITHM_SIZE)
{
/* Invalid algorithm*/
return -EINVAL;
}On which OS does this issue occur?
[OS: Linux]
What is the version of your OS?
Ubuntu 24.04
NuttX Version
master
Issue Architecture
[Arch: all]
Issue Area
[Area: Drivers]
Host information
No response
Verification
Description / Steps to reproduce the issue
nuttx/drivers/crypto/pnt/pnt_se05x_api: Minor Overflow in Secure Element Driver May Cause a DoS
Impact
Invalid data is passed to the NXP Plug & Trust Nano Package used by the NuttX secure element driver. If the NXP code is not handling the malformed data, a corruption can occur. Alternatively, if the attacker is able to point
create_signature_args->algorithmin memory at an address that is not accessible, a crash can occur.Description
The following NuttX snippet shows that there are seven valid entries in the algorithm mapping array:
Note however that the user space caller can pass any value in
create_signature_args->algorithm(through theioctl()call). Since the value is not tested to be less than the maximum allowed ofSE05X_ALGORITHM_SIZE (7), a memory overread will occur when readingsignature_algorithm_mapping[create_signature_args->algorithm]. An attacker that can force a read from a memory location that is read protected or not mapped, can consistently cause a kernel crash.A similar problem occurs in
pnt_se05x_verify_signature(), however the code is not added here, for brevity.Recommendation
Before the
Se05x_API_ECDSASign()call add:On which OS does this issue occur?
[OS: Linux]
What is the version of your OS?
Ubuntu 24.04
NuttX Version
master
Issue Architecture
[Arch: all]
Issue Area
[Area: Drivers]
Host information
No response
Verification