OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.20 and prior to version 3.22, `shdr_verify_signature` can make a double free. `shdr_verify_signature` used to verify a TA binary before it is loaded. To verify a signature of it, allocate a memory for RSA key. RSA key allocate function (`sw_crypto_acipher_alloc_rsa_public_key`) will try to allocate a memory (which is optee’s heap memory). RSA key is consist of exponent and modulus (represent as variable `e`, `n`) and it allocation is not atomic way, so it may succeed in `e` but fail in `n`. In this case sw_crypto_acipher_alloc_rsa_public_key` will free on `e` and return as it is failed but variable ‘e’ is remained as already freed memory address . `shdr_verify_signature` will free again that memory (which is `e`) even it is freed when it failed allocate RSA key. A patch is available in version 3.22. No known workarounds are available.
Published 2023-09-15 20:15:11
Updated 2023-09-22 19:07:17
Source GitHub, Inc.
View at NVD,   CVE.org
Vulnerability category: Memory Corruption

Products affected by CVE-2023-41325

Exploit prediction scoring system (EPSS) score for CVE-2023-41325

0.04%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-41325

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
6.7
MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.8
5.9
NIST
7.4
HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
1.1
5.8
GitHub, Inc.

CWE ids for CVE-2023-41325

  • The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.
    Assigned by: security-advisories@github.com (Primary)

References for CVE-2023-41325

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!