optee-os: Fix CVE-2026-33317

Pick patches from [1], [2] and [3] as mentioned in Debian report in [4]. [1] https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9 [2] https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900 [3] https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca [4] https://security-tracker.debian.org/tracker/CVE-2026-33317 Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com> Reviewed-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-05-30 00:21:17 +00:00 · 2026-05-21 11:46:25 +02:00
parent a81c19915b
commit 313a5da55a
4 changed files with 152 additions and 0 deletions
@@ -0,0 +1,51 @@
+From fcacaa1f80c601907299b8f9de8b57cc35cd5a68 Mon Sep 17 00:00:00 2001
+From: Etienne Carriere <etienne.carriere@st.com>
+Date: Wed, 21 Jan 2026 13:55:33 +0100
+Subject: [PATCH 1/3] ta: pkcs11: check output buffer size on get attribute
+ value
+
+Check client output buffer input size and update its output
+size on PKCS11_CMD_GET_ATTRIBUTE_VALUE command.
+
+CVE: CVE-2026-33317
+Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9]
+
+Fixes: 783c1515c2f9 ("ta: pkcs11: Add support for getting object size and attribute value")
+Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ ta/pkcs11/src/object.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/ta/pkcs11/src/object.c b/ta/pkcs11/src/object.c
+index c9a95e1b2..ba3be7a71 100644
+--- a/ta/pkcs11/src/object.c
+++ b/ta/pkcs11/src/object.c
+@@ -800,6 +800,15 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client,
+ 		goto out;
+ 	}
+ 
+	/*
+	 * We will update the template with relevant data, without resizing it.
+	 * Upon completion, it will be copied to client output buffer.
+	 */
+	if (out->memref.size < sizeof(*template) + template->attrs_size) {
+		rc = PKCS11_CKR_ARGUMENTS_BAD;
+		goto out;
+	}
+
+ 	/* Iterate over attributes and set their values */
+ 	/*
+ 	 * 1. If the specified attribute (i.e., the attribute specified by the
+@@ -912,6 +921,7 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client,
+ 		rc = PKCS11_CKR_BUFFER_TOO_SMALL;
+ 
+ 	/* Move updated template to out buffer */
+	out->memref.size = sizeof(*template) + template->attrs_size;
+ 	TEE_MemMove(out->memref.buffer, template, out->memref.size);
+ 
+ 	DMSG("PKCS11 session %"PRIu32": get attributes %#"PRIx32,
+-- 
+2.43.0
+
@@ -0,0 +1,52 @@
+From 7e57efa90820489f123708f8ae5ee13706e8f4ce Mon Sep 17 00:00:00 2001
+From: Etienne Carriere <etienne.carriere@st.com>
+Date: Wed, 21 Jan 2026 13:58:09 +0100
+Subject: [PATCH 2/3] ta: pkcs11: check template consistency on get attribute
+ value
+
+Check client template holds consistent attribute area sizes
+value on PKCS11_CMD_GET_ATTRIBUTE_SIZE.
+
+CVE: CVE-2026-33317
+Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900]
+
+Fixes: 783c1515c2f9 ("ta: pkcs11: Add support for getting object size and attribute value")
+Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ ta/pkcs11/src/object.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/ta/pkcs11/src/object.c b/ta/pkcs11/src/object.c
+index ba3be7a71..470eeb247 100644
+--- a/ta/pkcs11/src/object.c
+++ b/ta/pkcs11/src/object.c
+@@ -840,12 +840,23 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client,
+ 	for (; cur < end; cur += len) {
+ 		struct pkcs11_attribute_head *cli_ref = (void *)cur;
+ 		struct pkcs11_attribute_head cli_head = { };
+		uintptr_t cli_end = 0;
+ 		void *data_ptr = NULL;
+ 
+		if ((char *)(cli_ref + 1) > end) {
+			rc = PKCS11_CKR_ARGUMENTS_BAD;
+			goto out;
+		}
+
+ 		/* Make copy of header so that is aligned properly. */
+ 		TEE_MemMove(&cli_head, cli_ref, sizeof(cli_head));
+ 
+-		len = sizeof(*cli_ref) + cli_head.size;
+		if (ADD_OVERFLOW(sizeof(*cli_ref), cli_head.size, &len) ||
+		    ADD_OVERFLOW((uintptr_t)cur, len, &cli_end) ||
+		    (char *)cli_end > end) {
+			rc = PKCS11_CKR_ARGUMENTS_BAD;
+			goto out;
+		}
+ 
+ 		/* Treat hidden attributes as missing attributes */
+ 		if (attribute_is_hidden(&cli_head)) {
+-- 
+2.43.0
+
@@ -0,0 +1,46 @@
+From 75c1a999d6b51520234276b207ceefbd5e18ed02 Mon Sep 17 00:00:00 2001
+From: Etienne Carriere <etienne.carriere@st.com>
+Date: Wed, 21 Jan 2026 14:03:26 +0100
+Subject: [PATCH 3/3] ta: pkcs11: fix attribute output size if too small on get
+ attribute value
+
+Correct the size field output value for attributes fetched with
+PKCS11_CMD_GET_ATTRIBUTE_VALUE where a too short buffer was provided.
+As per the PKCS#11 specification, in such case, the related attributes
+size field should be filled with CK_UNAVAILABLE_INFORMATION and the
+function to return an non-true-error code like CKR_BUFFER_TOO_SMALL.
+The implementation complied for the return value but was loading the
+required attribute data value size instead in CK_UNAVAILABLE_INFORMATION
+in the attribute size field.
+
+CVE: CVE-2026-33317
+Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca]
+
+Fixes: 783c1515c2f9 ("ta: pkcs11: Add support for getting object size and attribute value")
+Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ ta/pkcs11/src/object.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/ta/pkcs11/src/object.c b/ta/pkcs11/src/object.c
+index 470eeb247..ed2ce2a95 100644
+--- a/ta/pkcs11/src/object.c
+++ b/ta/pkcs11/src/object.c
+@@ -900,8 +900,11 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client,
+ 			attr_type_invalid = 1;
+ 			break;
+ 		case PKCS11_CKR_BUFFER_TOO_SMALL:
+-			if (data_ptr)
+			if (data_ptr) {
+				cli_head.size =
+					PKCS11_CK_UNAVAILABLE_INFORMATION;
+ 				buffer_too_small = 1;
+			}
+ 			break;
+ 		default:
+ 			rc = PKCS11_CKR_GENERAL_ERROR;
+-- 
+2.43.0
+
@@ -7,4 +7,7 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
 SRCREV = "18b424c23aa5a798dfe2e4d20b4bde3919dc4e99"
 SRC_URI += " \
    file://0003-optee-enable-clang-support.patch \
+    file://CVE-2026-33317-1.patch \
+    file://CVE-2026-33317-2.patch \
+    file://CVE-2026-33317-3.patch \
   "