CVE-2024-6563: About  Renesas arm-trusted-firmware (9 Jul 2024)

Preface: Trusted Firmware-M (TF-M) defines several common profiles, such as Profile Small, Profile Medium, Profile Medium ARoT-less and Profile Large, to provide different levels of security to adapt to different device functions and applications. Use cases on top of firmware.

Background: The capabilities and resources of different IoT devices can vary significantly. Some IoT devices may have very limited memory resources. Programs on these devices should maintain a small memory footprint and basic functionality.

Trusted Firmware-M (TF-M) defines several general profiles, such as Profile Small, Profile Medium, Profile Medium ARoT-less and Profile Large, to provide different levels of security to fit diverse device capabilities and use cases applied on the top of the base configuration.

Ref: Trusted Firmware-M (TF-M) is an open source collaboration which implements the Platform Security Architecture (PSA) specification for Arm Cortex®-M MCU groups. This application project introduces how Trusted Firmware-M integrates with Renesas Flexible Software Package (FSP) to support PSA specification implementation on the Renesas RA Family MCU groups.

Vulnerability details: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i… https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar[.]C . In line 313 “addr_loaded_cnt” is checked not to be “CHECK_IMAGE_AREA_CNT” (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of “dst” will be written to the area immediately after the buffer, which is “addr_loaded_cnt”. This will allow an attacker to freely control the value of “addr_loaded_cnt” and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (“len”) they desire.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-6563

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.