CRYP_GCMCCM_SetHeaderPhase out bounds read in mask array #35

fre-ros · 2024-10-18T13:32:29Z

There is an out of bounds read in CRYP_GCMCCM_SetHeaderPhase if any datatype other than CRYP_DATATYPE_32B is used.

https://github.com/STMicroelectronics/stm32f4xx_hal_driver/blob/064b123f8fc187d468bb762cc150d198f873478d/Src/stm32f4xx_hal_cryp.c#L5732

The array mask is defined as

https://github.com/STMicroelectronics/stm32f4xx_hal_driver/blob/064b123f8fc187d468bb762cc150d198f873478d/Src/stm32f4xx_hal_cryp.c#L5622-L5629

And the definition for the DataType field is:

https://github.com/STMicroelectronics/stm32f4xx_hal_driver/blob/064b123f8fc187d468bb762cc150d198f873478d/Inc/stm32f4xx_hal_cryp.h#L49-L52

And the valid values for DataType:

https://github.com/STMicroelectronics/stm32f4xx_hal_driver/blob/064b123f8fc187d468bb762cc150d198f873478d/Inc/stm32f4xx_hal_cryp.h#L271-L288

The code that causes the out of bounds read is only present if CRYP is defined so the defines that matter are:
https://github.com/STMicroelectronics/stm32f4xx_hal_driver/blob/064b123f8fc187d468bb762cc150d198f873478d/Inc/stm32f4xx_hal_cryp.h#L275-L278

And finally the actual values from the lastet CMSIS


#define CRYP_CR_DATATYPE_Pos             (6U)
#define CRYP_CR_DATATYPE_Msk             (0x3UL << CRYP_CR_DATATYPE_Pos)        /*!< 0x000000C0 */
#define CRYP_CR_DATATYPE                 CRYP_CR_DATATYPE_Msk
#define CRYP_CR_DATATYPE_0               (0x1UL << CRYP_CR_DATATYPE_Pos)        /*!< 0x00000040 */
#define CRYP_CR_DATATYPE_1               (0x2UL << CRYP_CR_DATATYPE_Pos)        /*!< 0x00000080 */

So hcryp->Init.DataType will either be:
0 (CRYP_DATATYPE_32B)
64 (CRYP_DATATYPE_16B)
128 (CRYP_DATATYPE_8B)
192 (CRYP_DATATYPE_1B)

So all values except CRYP_DATATYPE_32B will cause a read out of bounds in the mask array.

The text was updated successfully, but these errors were encountered:

ALABSTM · 2024-11-26T08:43:57Z

ST Internal Reference: 196581

ALABSTM · 2024-11-26T08:45:46Z

Hi @fre-ros,

Thank you for the heads-up. A ticket has been logged internally. I will let you know once the fix is available.

With regards,

fre-ros · 2024-11-28T15:04:50Z

Hi @fre-ros,

Thank you for the heads-up. A ticket has been logged internally. I will let you know once the fix is available.

With regards,

Thank you :)

fre-ros changed the title ~~CRYP_GCMCCM_SetHeaderPhase out bounds write in mask array~~ CRYP_GCMCCM_SetHeaderPhase out bounds read in mask array Oct 18, 2024

ALABSTM self-assigned this Oct 21, 2024

ALABSTM added hal HAL-LL driver-related issue or pull-request. cryp Cryptographic processor labels Oct 21, 2024

ALABSTM added this to stm32cube-mcu-hal-dashboard Oct 21, 2024

github-project-automation bot moved this to To do in stm32cube-mcu-hal-dashboard Oct 21, 2024

ALABSTM moved this from To do to Analyzed in stm32cube-mcu-hal-dashboard Oct 22, 2024

ALABSTM added the bug Something isn't working label Nov 8, 2024

ALABSTM added internal bug tracker Issue confirmed and logged into the internal bug tracking system aes Advanced Encryption Standard cryptographic core labels Nov 26, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CRYP_GCMCCM_SetHeaderPhase out bounds read in mask array #35

CRYP_GCMCCM_SetHeaderPhase out bounds read in mask array #35

fre-ros commented Oct 18, 2024 •

edited

Loading

ALABSTM commented Nov 26, 2024

ALABSTM commented Nov 26, 2024

fre-ros commented Nov 28, 2024

CRYP_GCMCCM_SetHeaderPhase out bounds read in mask array #35

CRYP_GCMCCM_SetHeaderPhase out bounds read in mask array #35

Comments

fre-ros commented Oct 18, 2024 • edited Loading

ALABSTM commented Nov 26, 2024

ALABSTM commented Nov 26, 2024

fre-ros commented Nov 28, 2024

fre-ros commented Oct 18, 2024 •

edited

Loading