From c4fd56386ee30f8b46f8e4eb1220edaf510d2ac0 Mon Sep 17 00:00:00 2001
From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Date: Thu, 21 May 2026 11:46:26 +0200
Subject: [PATCH] optee-os: Fix CVE-2026-33662

Pick patch from [1] as mentioned in OP-TEE os security report in [2].

[1] https://github.com/OP-TEE/optee_os/commit/caeaa2ae551666068894005387cca4113b10873f
[2] https://github.com/OP-TEE/optee_os/security/advisories/GHSA-4cf8-v5g3-73gr

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
---
 .../optee/optee-os/CVE-2026-33662.patch       | 40 +++++++++++++++++++
 .../recipes-security/optee/optee-os_4.1.0.bb  |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 meta-arm/recipes-security/optee/optee-os/CVE-2026-33662.patch

diff --git a/meta-arm/recipes-security/optee/optee-os/CVE-2026-33662.patch b/meta-arm/recipes-security/optee/optee-os/CVE-2026-33662.patch
new file mode 100644
index 00000000..4a427de6
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os/CVE-2026-33662.patch
@@ -0,0 +1,40 @@
+From 2fdf0aa10bd23c0e4633efa087a27ff07f79015f Mon Sep 17 00:00:00 2001
+From: Jens Wiklander <jens.wiklander@linaro.org>
+Date: Thu, 22 Jan 2026 14:19:36 +0100
+Subject: [PATCH] core: crypto_api: fix underflow in emsa_pkcs1_v1_5_encode()
+
+Guard against an integer underflow in emsa_pkcs1_v1_5_encode() that can
+occur when calculating the padding field in the EMA-PKCS1-v1_5 encoding.
+
+CVE: CVE-2026-33662
+Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/caeaa2ae551666068894005387cca4113b10873f]
+
+Fixes: f5a70e3efb80 ("drivers: crypto: generic resources for crypto device driver - RSA")
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ core/drivers/crypto/crypto_api/acipher/rsassa.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/core/drivers/crypto/crypto_api/acipher/rsassa.c b/core/drivers/crypto/crypto_api/acipher/rsassa.c
+index 0f71b84cc..01f8d7dc9 100644
+--- a/core/drivers/crypto/crypto_api/acipher/rsassa.c
++++ b/core/drivers/crypto/crypto_api/acipher/rsassa.c
+@@ -45,9 +45,10 @@ static TEE_Result emsa_pkcs1_v1_5_encode(struct drvcrypt_rsa_ssa *ssa_data,
+ 	 * Calculate the PS size
+ 	 *  EM Size (modulus size) - 3 bytes - DigestInfo DER format size
+ 	 */
+-	ps_size = ssa_data->key.n_size - 3;
+-	ps_size -= ssa_data->digest_size;
+-	ps_size -= 10 + hash_oid->asn1_length;
++	if (SUB_OVERFLOW(ssa_data->key.n_size, 3, &ps_size) ||
++	    SUB_OVERFLOW(ps_size, ssa_data->digest_size, &ps_size) ||
++	    SUB_OVERFLOW(ps_size, 10 + hash_oid->asn1_length, &ps_size))
++		return TEE_ERROR_BAD_PARAMETERS;
+ 
+ 	CRYPTO_TRACE("PS size = %zu (n %zu)", ps_size, ssa_data->key.n_size);
+ 
+-- 
+2.43.0
+
diff --git a/meta-arm/recipes-security/optee/optee-os_4.1.0.bb b/meta-arm/recipes-security/optee/optee-os_4.1.0.bb
index 1846baf0..7d948959 100644
--- a/meta-arm/recipes-security/optee/optee-os_4.1.0.bb
+++ b/meta-arm/recipes-security/optee/optee-os_4.1.0.bb
@@ -10,4 +10,5 @@ SRC_URI += " \
     file://CVE-2026-33317-1.patch \
     file://CVE-2026-33317-2.patch \
     file://CVE-2026-33317-3.patch \
+    file://CVE-2026-33662.patch \
    "