Summary

000035569 - Design Advisory for Zynq UltraScale+ MPSoC/RFSoC: Possible Buffer Overflow in Trusted Firmware for ARM Cortex A Processors (TF-A)

Release Date
2024-08-13
Revision
1.0 English

Researchers from the University of Erlangen-Nuremberg in a paper titled “EL3XIR: Fuzzing COTS Secure Monitors” discovered a potential vulnerability in the AMD Zynq UltraScale+ MPSoC/RFSoC that use ARM® Trusted Firmware (“TF-A”). 

The paper describes where the pm_api_get_name function in TF-A lacks input parameter validation for clock_id. The clock_id value is utilized to determine the array index for accessing clock names in the ext_clocks array.

The researchers discuss how this lack of input parameter validation could allow an adversary to supply a tampered clock_id when invoking the pm_api_get_name function within TF-A. Such an action could lead to the clock_id extending beyond the defined bounds of the ext_clocks array, potentially allowing the attacker to access data beyond what is intended. Consequently, this vulnerability could expose TF-A RAM data, resulting in data leakage and in some cases, denial of service.

https://github.com/Xilinx/arm-trusted-firmware/blob/xilinx-v2023.1/plat/xilinx/zynqmp/pm_service/pm_api_clock.c#L2447