Fixed CVE-2022-40760

Signed-off-by: Taras Drozdovskyi <[email protected]>

.github/SECURITY.md

@@ -15,7 +15,7 @@ We are releasing patches to eliminate vulnerabilities, you can see below:
 | 0.4.0       | Fixed        |                    | CVE-2019-1010296                               |
 | 0.4.1       | Fixed        |                    | CVE-2022-36621, CVE-2022-36622, CVE-2022-38155,|
 |             |              |                    | CVE-2022-40762, CVE-2022-40759, CVE-2022-40761,|
-|             |              |                    | CVE-2022-35858                                 |
+|             |              |                    | CVE-2022-35858, CVE-2022-40760                 |
 
 ---
 

Kconfig

@@ -259,6 +259,16 @@ endmenu
 #source "libc/Kconfig"
 #endmenu
 
+menu "GP TEE Configuration"
+
+config MAX_CRYPTO_CHUNK_SIZE
+	hex "Maximum crypto chunk size (hex)"
+	default 0x400
+	default 0x00010000 if BOOTLOADER2
+	---help---
+		"Maximum chunk size for TEE crypto operations. Keep in mind that this is the heap size..."
+endmenu
+
 menu "Application Configuration"
 source "apps/Kconfig"
 endmenu

configs/m2351_badge/defconfig

@@ -428,6 +428,11 @@ CONFIG_GCC_VERSION="arm-none-eabi-6-2017-q2-update-linux"
 CONFIG_GCC_SITE="https://armkeil.blob.core.windows.net/developer/Files/downloads/gnu-rm/6-2017q2"
 CONFIG_GCC_FOLDER="gcc-arm-none-eabi-6-2017-q2-update"
 
+#
+# GP TEE Configuration
+#
+CONFIG_MAX_CRYPTO_CHUNK_SIZE=0x400
+
 #
 # Application Configuration
 #

configs/mps2_an505_qemu/defconfig

@@ -134,6 +134,11 @@ CONFIG_PLATFORM_MPS2_AN505_QEMU=y
 #
 CONFIG_GCC_VERSION_8_2018Q4=y
 
+#
+# GP TEE Configuration
+#
+CONFIG_MAX_CRYPTO_CHUNK_SIZE=0x400
+
 #
 # Application Configuration
 #

configs/numaker_pfm_m2351/defconfig

@@ -48,6 +48,7 @@ CONFIG_START_ADDRESS_BL33=0x10040000
 # System Type
 #
 CONFIG_ARCH_CORTEX_M23=y
+# CONFIG_ARCH_CORTEX_M33 is not set
 CONFIG_ARCH="cortex-m23"
 CONFIG_ARCH_FAMILY_M2351=y
 CONFIG_ARCH_FAMILY="m2351"
@@ -391,8 +392,6 @@ CONFIG_SAU_INIT_END0=0x20008000
 # CONFIG_REGION0_NONSECURE is not set
 CONFIG_REGION0_SECURE=y
 # CONFIG_SAU_INIT_REGION1 is not set
-# CONFIG_REGION1_NONSECURE is not set
-# CONFIG_REGION1_SECURE is not set
 # CONFIG_SAU_INIT_REGION2 is not set
 CONFIG_SAU_INIT_REGION3=y
 CONFIG_SAU_INIT_START3=0x0003F000
@@ -430,6 +429,11 @@ CONFIG_GCC_VERSION="arm-none-eabi-6-2017-q2-update-linux"
 CONFIG_GCC_SITE="https://armkeil.blob.core.windows.net/developer/Files/downloads/gnu-rm/6-2017q2"
 CONFIG_GCC_FOLDER="gcc-arm-none-eabi-6-2017-q2-update"
 
+#
+# GP TEE Configuration
+#
+CONFIG_MAX_CRYPTO_CHUNK_SIZE=0x400
+
 #
 # Application Configuration
 #

tee/lib/libutee/tee_api_operations.c

@@ -38,6 +38,8 @@
 #include "tee_api_private.h"
 #include "utee_types.h"
 
+#include "config.h"
+
 TEE_Result utee_cipher_update(unsigned long state, const void *src,
     size_t src_len, void *dst, uint64_t *dst_len);
 
@@ -972,7 +974,8 @@ TEE_Result TEE_CipherUpdate(TEE_OperationHandle operation, const void *srcData,
 	if (operation == TEE_HANDLE_NULL ||
 	    (srcData == NULL && srcLen != 0) ||
 	    destLen == NULL ||
-	    (destData == NULL && *destLen != 0)) {
+	    (destData == NULL && *destLen != 0) ||
+	    (srcLen > CONFIG_MAX_CRYPTO_CHUNK_SIZE || *destLen > CONFIG_MAX_CRYPTO_CHUNK_SIZE)) {
 		res = TEE_ERROR_BAD_PARAMETERS;
 		goto out;
 	}
@@ -1185,6 +1188,9 @@ void TEE_MACUpdate(TEE_OperationHandle operation, const void *chunk,
 	if (operation->operationState != TEE_OPERATION_STATE_ACTIVE)
 		TEE_Panic(0);
 
+	if (CONFIG_MAX_CRYPTO_CHUNK_SIZE < chunkSize)
+		TEE_Panic(TEE_ERROR_BAD_PARAMETERS);
+
 	res = utee_hash_update(operation->state, chunk, chunkSize);
 	if (res != TEE_SUCCESS)
 		TEE_Panic(res);
@@ -1220,6 +1226,11 @@ TEE_Result TEE_MACComputeFinal(TEE_OperationHandle operation,
 		goto out;
 	}
 
+	if (CONFIG_MAX_CRYPTO_CHUNK_SIZE < *macLen) {
+		res = TEE_ERROR_BAD_PARAMETERS;
+		goto out;
+	}
+
 	ml = *macLen;
 	res = utee_hash_final(operation->state, message, messageLen, mac, &ml);
 	*macLen = ml;