TFMV-5: Add FWU buffer overflow advisory
Signed-off-by: Sherry Zhang <sherry.zhang2@arm.com>
Change-Id: I61ef98f1c309f60c8895d71b3035ed5e52242c63
diff --git a/docs/security/security.rst b/docs/security/security.rst
index 0ec39bc..7f953a0 100644
--- a/docs/security/security.rst
+++ b/docs/security/security.rst
@@ -52,6 +52,11 @@
| |TFMV-3| | ``abort()`` function may not take effect in TF-M Crypto |
| | multi-part MAC/hashing/cipher operations. |
+------------+-----------------------------------------------------------------+
+| |TFMV-4| | NSPE may access secure keys stored in TF-M Crypto service |
+| | in Profile Small with Crypto key ID encoding disabled. |
++------------+-----------------------------------------------------------------+
+| |TFMV-5| | ``psa_fwu_write()`` may cause buffer overflow in SPE. |
++------------+-----------------------------------------------------------------+
.. _issue tracker: https://developer.trustedfirmware.org/project/view/2/
.. _mailing list: https://lists.trustedfirmware.org/mailman/listinfo/tf-m
@@ -59,6 +64,8 @@
.. |TFMV-1| replace:: :ref:`docs/security/security_advisories/stack_seal_vulnerability:Advisory TFMV-1`
.. |TFMV-2| replace:: :ref:`docs/security/security_advisories/svc_caller_sp_fetching_vulnerability:Advisory TFMV-2`
.. |TFMV-3| replace:: :ref:`docs/security/security_advisories/crypto_multi_part_ops_abort_fail:Advisory TFMV-3`
+.. |TFMV-4| replace:: :ref:`docs/security/security_advisories/profile_small_key_id_encoding_vulnerability:Advisory TFMV-4`
+.. |TFMV-5| replace:: :ref:`docs/security/security_advisories/fwu_write_vulnerability:Advisory TFMV-5`
.. _TrustedFirmware.org security incident process: https://developer.trustedfirmware.org/w/collaboration/security_center/
@@ -66,4 +73,4 @@
--------------
-*Copyright (c) 2020-2021, Arm Limited. All rights reserved.*
+*Copyright (c) 2020-2022, Arm Limited. All rights reserved.*
diff --git a/docs/security/security_advisories/fwu_write_vulnerability.rst b/docs/security/security_advisories/fwu_write_vulnerability.rst
new file mode 100644
index 0000000..e099f1c
--- /dev/null
+++ b/docs/security/security_advisories/fwu_write_vulnerability.rst
@@ -0,0 +1,82 @@
+Advisory TFMV-5
+===============
+
++-----------------+------------------------------------------------------------+
+| Title | ``psa_fwu_write()`` may cause buffer overflow in SPE. |
++=================+============================================================+
+| CVE ID | CVE-2021-43619 |
++-----------------+------------------------------------------------------------+
+| Public | Feb 11, 2022 |
+| Disclosure Date | |
++-----------------+------------------------------------------------------------+
+| Versions | From `3e7129f`_ to `921d0ea`_ |
+| Affected | |
++-----------------+------------------------------------------------------------+
+| Configurations | IPC model with Firmware Update partition enabled |
++-----------------+------------------------------------------------------------+
+| Impact | In IPC model, the caller of ``psa_fwu_write()`` from SPE |
+| | or NSPE can overwrite the stack memory outside of the |
+| | local buffer in Firmware Update partition. |
++-----------------+------------------------------------------------------------+
+| Fix Version | commit `78f7530`_ |
++-----------------+------------------------------------------------------------+
+| Credit | Mark Horvath, |
+| | Staff Software Engineer from Arm Ltd. |
++-----------------+------------------------------------------------------------+
+
+Background
+----------
+
+In Firmware Update partition, the ``psa_fwu_write()`` service is declared as:
+
+.. code-block:: c
+
+ /**
+ * \brief Writes an image to its staging area.
+ *
+ * Writes the image data 'block' with length 'block_size' to its staging area.
+ *
+ * \param[in] image_id The identifier of the image
+ * \param[in] block_offset The offset of the block being passed into block,
+ * in bytes
+ * \param[in] block A buffer containing a block of image data. This
+ * might be a complete image or a subset.
+ * \param[in] block_size Size of block. The size must not be greater than
+ * PSA_FWU_MAX_BLOCK_SIZE.
+ *
+ */
+ psa_status_t psa_fwu_write(psa_image_id_t image_id,
+ size_t block_offset,
+ const void *block,
+ size_t block_size);
+
+In IPC model, this service calls the ``tfm_fwu_write_ipc()`` API to write
+the input data into the device. In this API, the ``block_size`` bytes
+input data (in ``block`` argument) is read into a ``1024 bytes`` local
+buffer via the ``psa_read()`` API. If the input argument ``block_size``
+is greater than ``1024``, then the memory space starting from the address
+of the local buffer with ``block_size`` bytes would be overwritten by the input
+data in ``block`` argument.
+
+Impact
+------
+
+In IPC model, the caller of ``psa_fwu_write()`` from SPE or NSPE can overwrite
+the memory space in RAM. The overwritten memory space ranges from the address
+of the local buffer which locates at the stack of Firmware Update partition to
+the end of the RAM. The overwritten memory may include the data of SPM and
+device drivers, as well as part of the stack of Firmware Update partition.
+
+Mitigation
+----------
+
+Add check against the input buffer length in the ``tfm_fwu_write_ipc()`` API
+before reading the input data into the local buffer. See commit `78f7530`_.
+
+.. _3e7129f: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/commit/?id=3e7129f
+.. _921d0ea: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/commit/?id=921d0ea
+.. _78f7530: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/commit/?id=78f7530
+
+---------------------
+
+*Copyright (c) 2022, Arm Limited. All rights reserved.*
diff --git a/docs/security/security_advisories/index.rst b/docs/security/security_advisories/index.rst
index 65759ab..fe8118a 100644
--- a/docs/security/security_advisories/index.rst
+++ b/docs/security/security_advisories/index.rst
@@ -9,7 +9,8 @@
svc_caller_sp_fetching_vulnerability
crypto_multi_part_ops_abort_fail
profile_small_key_id_encoding_vulnerability
+ fwu_write_vulnerability
--------------
-*Copyright (c) 2020, Arm Limited. All rights reserved.*
+*Copyright (c) 2020-2022, Arm Limited. All rights reserved.*