espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 19:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'fix/esp-tee-validation-clobber-and-deref-before-check' into 'master'

Browse Source 
fix(esp_tee): prevent validation clobbering and deref-before-check in secure services

See merge request espressif/esp-idf!47589
This commit is contained in:
Mahavir Jain
2026-04-21 11:17:31 +05:30
parent 55185d8406 2de0ed6a2b
commit 96194f19a6
2 changed files with 12 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/esp_tee/subproject/main/core/esp_secure_services.c
+10 -2
View File
@@ -392,8 +392,12 @@ esp_err_t _ss_esp_ds_sign(const void *message,
void *signature) void *signature)
{ {
bool valid_addr = esp_tee_buf_in_ree(data, sizeof(esp_ds_data_t)); bool valid_addr = esp_tee_buf_in_ree(data, sizeof(esp_ds_data_t));
if (!valid_addr) {
return ESP_ERR_INVALID_ARG;
}
size_t n = get_ds_msg_sign_len(data->rsa_length); size_t n = get_ds_msg_sign_len(data->rsa_length);
valid_addr = (n > 0) && esp_tee_buf_in_ree(message, n) && esp_tee_buf_in_ree(signature, n); valid_addr &= (n > 0) && esp_tee_buf_in_ree(message, n) && esp_tee_buf_in_ree(signature, n);
#if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE #if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE
valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID); valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID);
@@ -415,8 +419,12 @@ esp_err_t _ss_esp_ds_start_sign(const void *message,
{ {
bool valid_addr = (esp_tee_buf_in_ree(esp_ds_ctx, sizeof(esp_ds_context_t *)) && bool valid_addr = (esp_tee_buf_in_ree(esp_ds_ctx, sizeof(esp_ds_context_t *)) &&
esp_tee_buf_in_ree(data, sizeof(esp_ds_data_t))); esp_tee_buf_in_ree(data, sizeof(esp_ds_data_t)));
if (!valid_addr) {
return ESP_ERR_INVALID_ARG;
}
size_t n = get_ds_msg_sign_len(data->rsa_length); size_t n = get_ds_msg_sign_len(data->rsa_length);
valid_addr = (n > 0) && esp_tee_buf_in_ree(message, n); valid_addr &= (n > 0) && esp_tee_buf_in_ree(message, n);
#if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE #if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE
valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID); valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID);
components/esp_tee/subproject/main/core/esp_secure_services_iram.c
+2 -2
View File
@@ -176,7 +176,7 @@ esp_err_t _ss_esp_tee_sec_storage_aead_encrypt(const esp_tee_sec_storage_aead_ct
esp_tee_buf_in_ree(output, ctx->input_len)); esp_tee_buf_in_ree(output, ctx->input_len));
if (ctx->aad_len != 0) { if (ctx->aad_len != 0) {
valid_addr = esp_tee_buf_in_ree(ctx->aad, ctx->aad_len); valid_addr &= esp_tee_buf_in_ree(ctx->aad, ctx->aad_len);
} }
if (!valid_addr) { if (!valid_addr) {
@@ -196,7 +196,7 @@ esp_err_t _ss_esp_tee_sec_storage_aead_decrypt(const esp_tee_sec_storage_aead_ct
esp_tee_buf_in_ree(output, ctx->input_len)); esp_tee_buf_in_ree(output, ctx->input_len));
if (ctx->aad_len != 0) { if (ctx->aad_len != 0) {
valid_addr = esp_tee_buf_in_ree(ctx->aad, ctx->aad_len); valid_addr &= esp_tee_buf_in_ree(ctx->aad, ctx->aad_len);
} }
if (!valid_addr) { if (!valid_addr) {