OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.20 and prior to version 3.22, shdr_verify_signature can make a double free. shdr_verify_signature used to verify a TA binary before it is loaded. To verify a signature of it, allocate a memory for RSA key. RSA key allocate function (sw_crypto_acipher_alloc_rsa_public_key) will try to allocate a memory (which is optee’s heap memory). RSA key is consist of exponent and modulus (represent as variable e, n) and it allocation is not atomic way, so it may succeed in e but fail in n. In this case sw_crypto_acipher_alloc_rsa_public_keywill free oneand return as it is failed but variable ‘e’ is remained as already freed memory address .shdr_verify_signaturewill free again that memory (which ise`) even it is freed when it failed allocate RSA key. A patch is available in version 3.22. No known workarounds are available.
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Op-tee | Linaro | 3.20.0 (including) | 3.22.0 (excluding) |
| Op-tee | Linaro | 3.22.0-rc1 (including) | 3.22.0-rc1 (including) |