OP-TEE RSA Padding Underflow Vulnerability in EMA-PKCS1-v1_5 Encoding

A vulnerability exists in OP-TEE versions 3.8.0 prior to 4.10 within the RSA signature scheme padding process. The issue arises in the 'emsa_pkcs1_v1_5_encode()' function, where the required padding size is calculated by subtracting the digest size and other fields from the key modulus size. This calculation can be manipulated to overflow by using a small modulus, leading to an integer underflow. The resulting underflowed value causes a heap buffer overflow with 0xFF bytes, overwriting memory until OP-TEE crashes. This vulnerability affects platforms with registered RSA acceleration, such as those using CAAM, certain Hisilicon and Versal configurations, and NXP SE050 under specific conditions.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, leading to a crash of the OP-TEE environment.

Remediation

Users can upgrade to OP-TEE version 4.11 or later to address this vulnerability. Alternatively, disabling RSA acceleration will prevent the issue, but this may not be suitable for all users.