Researchers from the University of Erlangen-Nuremberg in a paper titled “EL3XIR: Fuzzing COTS Secure Monitors” discovered a potential vulnerability in the AMD Zynq UltraScale+ MPSoC/RFSoC that use ARM® Trusted Firmware (“TF-A”).
The paper describes where the pm_api_get_name function in TF-A lacks input parameter validation for clock_id. The clock_id value is utilized to determine the array index for accessing clock names in the ext_clocks array.
The researchers discuss how this lack of input parameter validation could allow an adversary to supply a tampered clock_id when invoking the pm_api_get_name function within TF-A. Such an action could lead to the clock_id extending beyond the defined bounds of the ext_clocks array, potentially allowing the attacker to access data beyond what is intended. Consequently, this vulnerability could expose TF-A RAM data, resulting in data leakage and in some cases, denial of service.