From patchwork Thu May 21 09:46:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugo Simeliere X-Patchwork-Id: 88562 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B55DDCD5BA4 for ; Thu, 21 May 2026 09:46:47 +0000 (UTC) Received: from mx-relay06-hz1-if1.hornetsecurity.com (mx-relay06-hz1-if1.hornetsecurity.com [94.100.128.16]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32961.1779356804706837854 for ; Thu, 21 May 2026 02:46:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=MZE//vpl; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.128.16, mailfrom: hsimeliere@witekio.com) Received: from mail-northeuropeazon11022088.outbound.protection.outlook.com ([52.101.66.88]) by mx-gate06-hz1; Thu, 21 May 2026 11:46:42 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=oYtdkjIl3HkF15pGiue2DwLpIZo6pQ/DEF4Az3+O0473RzmDo4FzVT0EsBRLhOXOKdA4Uz4pT6CxeNU4vuRcGlUf68IymRvNgDTYTqNPbSlL818ZlP0p9jSQXgHRlT9vhlS2Inoh7qAHw4qyDaODn8e/vOyiFr4rrb9Ud0dy/OfQK40emZrLKCjUDQA1Gd3l1nQmz0qBm3I0Lpj33TyAzBC3vAuG3VPpb8iiui80cnViidoFUFskyJi/AB9RcptrRFFegdYyfD5i8Pne0wcO4cMgreiFGwiAKPig/aZULIz6uwbbz3ofbSSU+6yd3V3PBlygO/Oq0yy6+2jUlNfFtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VfL48C0o0LTQtfaFt8G5G3cn7Ln4oMbsfTrsgyDGc+E=; b=g8cAS+zuS+6VIVqMhmhTmgYiSBL+U0gPkT5QFf/FfzVnkvJI1Ek8fhAb0CUAbRx+ghoKMx2z8tUiIWjsDfI2TpEvRFI/3BUiyqz3H09pPHduuyb78DxUEpXK6z/f7VRr8lxheDx/XosqGFbd4pOWP45mVidg/NY48b5XGWPsFbNxiVkkzwwTBuYXwOowYwjXWSeutk1N7X848y3I7NQma5FM9CtfTFdbakxm5QEQTRB4P9nXohqTwzNFIjnlGptP8l1ckFdsWnKxHMBaCDgUQvEWa3YB72lvkKWx1QUPcaEKccDhJhg9kANz/EPA7l7gFsIqSVGUztTfRWKhjM2bow== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VfL48C0o0LTQtfaFt8G5G3cn7Ln4oMbsfTrsgyDGc+E=; b=MZE//vpl2BAB5jDC6Ap1A/9dbQtuazpfNdStG1CfhvaW/x6dKYzhHr6AJEvdHR193UswrVZuviXOB1pGgNvACHuR7wOzxDV1JhhTUq3OIBxD+bBcP/CNm3K+fFYUYJVxpe+1jwL3q7W/k0GAqQUtqxI1zjhD8dQbzEcAPpJl6MMCPU/s1hCJ1GUT3zcc/jny2+Ga5US0iPKuFOZ5Fk3UkW31DylJlLioSL6VNHZPvkQTgV0B6kZ67SFw3yHhs6sU/887QpK7srw7ecSCjabrwgI3S0sQFAIHeYjGWOuU8FdXkhU8GbzLnc8PCi/T9danRAPUb3bu0UwxaPJ80og7eA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) by DB4P192MB2786.EURP192.PROD.OUTLOOK.COM (2603:10a6:10:5e3::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.14; Thu, 21 May 2026 09:46:34 +0000 Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4]) by MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4%6]) with mapi id 15.21.0025.020; Thu, 21 May 2026 09:46:34 +0000 From: hsimeliere.opensource@witekio.com To: meta-arm@lists.yoctoproject.org Cc: "Hugo SIMELIERE (Schneider Electric)" , Bruno VERNAY Subject: [meta-arm][scarthgap][PATCH 1/2] optee-os: Fix CVE-2026-33317 Date: Thu, 21 May 2026 11:46:25 +0200 Message-ID: <20260521094626.3365952-1-hsimeliere.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 X-ClientProxiedBy: LO4P302CA0031.GBRP302.PROD.OUTLOOK.COM (2603:10a6:600:317::18) To MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MRWP192MB3504:EE_|DB4P192MB2786:EE_ X-MS-Office365-Filtering-Correlation-Id: 3c05bab3-d328-44d2-8160-08deb71dd80e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|10070799003|52116014|376014|366016|1800799024|3023799007|18002099003|56012099003|5023799004|13003099007; X-Microsoft-Antispam-Message-Info: BbCuoSKjuzGQJ72tSMIi2Gt94vUrqmZ0DqVytuMYq4J7yAR2P2e+c9ADo9C4tGnqr3himQvHk2pSyaF6IS8lHCeg6BWx6xiO6l7GXABPi5BGR8n++PksCReS8rNw0dh7HFooGD9N57lvE5s12X1xuTdz6YWfj7mDMJeRf99q4lk06cO98heROoG0HrCCUaQpex0JkCJxV0CdT1MXE/+vA2TYXD8wknLTSQahqXCGmxvTpXJos1VENEeUMs+Qi8G8MGOGnHSBHJN5rFaDwkG1Mkf3WvSunQRKmvvZGC1jnF91xJ4oTiD5iTF1Cn+cZnT+uFhQIdmELN8PYfIci8Rq5H7DwZ9wj7jSEnEtRi7Az3n1Z9MhY4Kkal8FHXAM+QvFgB4Em0hmkW+K7IywqUcDFnzQW+XnuhU1JG4b0TWQ4kd01kwQkJazDN7RCzNSildQh/Dj/cPV58VKUBAcuuAPk5j9CCKRbsomPdKB08lvfqS44UZwWxN8zH/Yk+9Pg+HinivpIuP2pOZ75Ak3fbuO0XUqGkp+lMDv7vJ9OYvshgh750HWg5BeaPDEnbodZO01JTJcUgqMhjGCb3Ll9D7cEoZxUuU8R+9K3wi4zVNBSsBBAG4s99VRHdaZPQFwgoamjZU3FL69FkDo9Lz+3dlVGSSK4l+7JTCV8RaOUKeLZ26ZR2omLIn+9peguCE0deTkv6WdnZ+qe5ypQhrA0bM++A== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MRWP192MB3504.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(52116014)(376014)(366016)(1800799024)(3023799007)(18002099003)(56012099003)(5023799004)(13003099007);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2 X-MS-Exchange-AntiSpam-MessageData-0: xOlsKaBPSeaAI1dSdlYUzqmh2Gc8bd92J6GFAXCUF5V4Cw0NQdXLQJG5ZcO31LSxRGvYxwnPs8UCI2GEcVpQJjJgOBNx6NRgC70lIina/a00sLbv/8mzywSOHLDy+p9fdWTf/3Hprh1YW4Bc8DehE0wxV1758QFj7TOe8PeSDE3661qPkhFKEn04FlHT/Ru8mFAhyTeuhOK45FGuK1mHTRXj3lQ/UQeE+MZRMgaUEuolLU6kd/KB/+fRktMuuWpLn3culIy/nIhLKF3D7ZGKEeIYPYiQThVKd56tF83qybxVBFBuzerEOX69hfttNJZT6dCj/vHzI4Fy9pm8sMx/aXTDJmXNka47sE+C0UmF4osy4WUYUga5nEH+UKWhAeYEbxLd5mn+4jOTOqX8wPlZdpB+2rBzskAr7uJ8ZGyLpctND9vql++h8qH2e2hqRQOpPqR6TopnqERkKkbHRO3EweoAML7GcdWD7F7llX93I9G7O659TDoJ2hOFuePeBby3boWi3U9tHX9QnMhq8scMHFTlhMX4tv8SLXJ0KdyYtUTr6l2CRuIpUheQqKxndSvwLDHeCcCvORHnDH1MXP7+sYvfyhUyxSjf4np0BBBZG7nR6ASNSwcg1ZLHK4RugsdbbmGTSJWlFT5SuzZsI7ZVlyf5HYdqb1b+800kExR9WQSpwqSOb5iXscVfZZuHdJd9qVxhKw1bZGGKFbsckitV/3Cw5SC8EVNDE9OOsuCJ9Mnx+v/rdGewgb2Mr6ccnlj67r9txQThz43KoJWHPzXsSFt9olLPxUBsvCZr7Wll6FROZvledEzkI242pNJSIHMJUpqsZRbGgjXolKb62pW9k1D9DajdTv5bG+HqNmmJ5Qik4MFaXagkhZfiUB6od4Fs1/pOkqi5uOu2yhcLOmP7x1x1lw6Fu9eG9k+Kqc0tCRFW7Rw/b97gQUcJY6peiFVu2mnYURxOJJ48DdmWMpweUjBe4wibrAf9jpptMrcmZVVh/fcJ6KkwvUUYfpTFd2s2VEr/0gCKvsHlkZOsmuAMG4qilIst9LdDkBT5OHZm3v/SmJtSi+sLVP3p044US78um63XNL77dAkBeHhVgSgU5v16SVeOQF9lIs8l7ijdrUmqEvJM70A5nIIv8mpMFKSMb55CGRRI1sqAjQl/93Vn5P+Ps0Vh/3FlCR4Ie3rzPk54cI/+78qOZ3IbiJQTyAEY6koL53ojECWTpHSkcYq2icTGoMsef5Zr0NN0bfVOXH+rQCZQESask7spiC6ZN/S/3j/V0j4BezNq9FsqEZ3UGNGAoMaG++xmpP/ATflihX55DBIvKqh/V4ol9lj4nJgaSbKevMFq7jQX1Os6pSFheoB3UY+JXdWDLqajtxXSmMdNtN0LrAF0zTmISpWf6tLqsjeWPbJ5ct5RQMlJ8pZck/7fEpBtIHZLspzprIObAMcazTb00upPiRqes+VM2tGi3D6Qh97PRuimLJs+D7NZn0ha8PwgQnYPf628nwpw8GyvvA7LGCmJtK6MnSuG7kzEp/9m8eyuJ2KuYRccQXj/ENIxXcGTStP/V5KZ/25RRQd7EifKjirg0/pa87VZI8idHXIGzdD3aEG6t43fI3mv/nynT8DFTo2vb3pKjEiM8mEYTqfvg/1Sx8ThSg71GCLMEdUJ0/cg5muOdewF1NEISyXXeMwccNEpyeYtsKx8oLArocEJNIdxvc37rpnN02C9lTkM+CuXwvfjUN0NMOhE45qX2OZ2vnQAZ9T0LEFu3Afu2HGjfQ675Bsq2O63p0aU9nkNy/Q6 X-MS-Exchange-AntiSpam-MessageData-1: rHnmGvXlZiq9SQ== X-Exchange-RoutingPolicyChecked: Z4qR7zlNL7EfY7f+0I3xclEYb2ifTRjPUmJYAUwPlwhXIPU82UywuxVFRNv6vofxYBrXQbVJn5HN8WwEZloo3NUKvCvAnBVRVWZpwCvZ3G0mY/lehyPbebOZfuOxHvW841we8fqnd4sPE9FDW9Ji2wPChSNFPTmPZLhEQ686/qmBFgFd16SJxQX/NKH2diRTFVl3LEqWGpi9r5jxQGxVfcSDlP1gAGWEX7QYbRvZy/UiIaDEnnxSz1E6JEJ0uhCMF7FTUL13Q6B6wljg8lcQLX+2aIXBSwsNEYKqeJ2VxRmJE5eN7AxHYsL7YHloYVIDyRLfMwLPXq2Yes3jjxWPIQ== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: +8XU2cYUiALGueN9AYciJZNFGoJ6kZki80ZyQLYVxObOtyVJVWw+chI/0/hfBrU+iPNmyehDXcFyV7oMyoqeLHXEsWxLdBKe7xKZwMse0jJITXoSLDtKQsyRIMrTFgTOVryqQFhAU5hgyAUoFcfAwnpF5G3SEzLppr1xvrMmMegJ+faiwo+kU9lnsEvkpo3f8ug0yOj3p/dQ0pF6lo9vH2SKMMFHqXefevkexxtIGyxNWHS3lWtMbuevcAFHT66/XOsx0xWVQbQCDP/Qont0F4RQcToeua5L6WoQ/2KllCHqgD006k1AM7qqiyyEzxgonCj4Xz2B+u2KH7iccGcuZYb3iVHydTgz7eNWGFeUy3I0i3ZMO4GPEzGorer5fSPDw0ufkamo4bNfbg8wMLdANpokNpMOkK4+wRLHg5SHzJRy9ur6WrIj5dPyB2UI08+S9yhhDRqrjmmAtCBVdP56aIg/F+nj87R9WTbT5u4JfvUaDWXmmRR0MagNQRdZkOdUaPk3q+crWiNI79CEihBjUl/wCR+txnVnA3k/sxkvXqyBZuFlP+ri7kvScFnkzwpIS342u+7uC51qS0hQIMEdVO1ZBP4qCHwah2zsjsFOWin3hxFTk5BdYPxR30iQNfE9 X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3c05bab3-d328-44d2-8160-08deb71dd80e X-MS-Exchange-CrossTenant-AuthSource: MRWP192MB3504.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 09:46:34.0885 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: yPcBq05u69+4yrZAzoMT3myqiAqx+LIFHeFk5KJMiFJ5hO9bOAYooJa021/UcTySyGeYFwJVGBm42pR8AzBixA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4P192MB2786 X-cloud-security-sender: hsimeliere@witekio.com X-cloud-security-recipient: meta-arm@lists.yoctoproject.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: hsimeliere.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate06-hz1 with 4gLk7y1llkz4PJMW X-cloud-security-connect: mail-northeuropeazon11022088.outbound.protection.outlook.com[52.101.66.88], TLS=1, IP=52.101.66.88 X-cloud-security-Digest: ddc6abd9e1fd7930d7c8c58910987c42 X-cloud-security: scantime:1.202 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 21 May 2026 09:46:47 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/7058 From: "Hugo SIMELIERE (Schneider Electric)" Pick patches from [1], [2] and [3] as mentioned in Debian report in [4]. [1] https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9 [2] https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900 [3] https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca [4] https://security-tracker.debian.org/tracker/CVE-2026-33317 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY --- .../optee/optee-os/CVE-2026-33317-1.patch | 51 ++++++++++++++++++ .../optee/optee-os/CVE-2026-33317-2.patch | 52 +++++++++++++++++++ .../optee/optee-os/CVE-2026-33317-3.patch | 46 ++++++++++++++++ .../recipes-security/optee/optee-os_4.1.0.bb | 3 ++ 4 files changed, 152 insertions(+) create mode 100644 meta-arm/recipes-security/optee/optee-os/CVE-2026-33317-1.patch create mode 100644 meta-arm/recipes-security/optee/optee-os/CVE-2026-33317-2.patch create mode 100644 meta-arm/recipes-security/optee/optee-os/CVE-2026-33317-3.patch diff --git a/meta-arm/recipes-security/optee/optee-os/CVE-2026-33317-1.patch b/meta-arm/recipes-security/optee/optee-os/CVE-2026-33317-1.patch new file mode 100644 index 00000000..2e693209 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-os/CVE-2026-33317-1.patch @@ -0,0 +1,51 @@ +From fcacaa1f80c601907299b8f9de8b57cc35cd5a68 Mon Sep 17 00:00:00 2001 +From: Etienne Carriere +Date: Wed, 21 Jan 2026 13:55:33 +0100 +Subject: [PATCH 1/3] ta: pkcs11: check output buffer size on get attribute + value + +Check client output buffer input size and update its output +size on PKCS11_CMD_GET_ATTRIBUTE_VALUE command. + +CVE: CVE-2026-33317 +Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9] + +Fixes: 783c1515c2f9 ("ta: pkcs11: Add support for getting object size and attribute value") +Signed-off-by: Etienne Carriere +Reviewed-by: Jens Wiklander +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + ta/pkcs11/src/object.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/ta/pkcs11/src/object.c b/ta/pkcs11/src/object.c +index c9a95e1b2..ba3be7a71 100644 +--- a/ta/pkcs11/src/object.c ++++ b/ta/pkcs11/src/object.c +@@ -800,6 +800,15 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client, + goto out; + } + ++ /* ++ * We will update the template with relevant data, without resizing it. ++ * Upon completion, it will be copied to client output buffer. ++ */ ++ if (out->memref.size < sizeof(*template) + template->attrs_size) { ++ rc = PKCS11_CKR_ARGUMENTS_BAD; ++ goto out; ++ } ++ + /* Iterate over attributes and set their values */ + /* + * 1. If the specified attribute (i.e., the attribute specified by the +@@ -912,6 +921,7 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client, + rc = PKCS11_CKR_BUFFER_TOO_SMALL; + + /* Move updated template to out buffer */ ++ out->memref.size = sizeof(*template) + template->attrs_size; + TEE_MemMove(out->memref.buffer, template, out->memref.size); + + DMSG("PKCS11 session %"PRIu32": get attributes %#"PRIx32, +-- +2.43.0 + diff --git a/meta-arm/recipes-security/optee/optee-os/CVE-2026-33317-2.patch b/meta-arm/recipes-security/optee/optee-os/CVE-2026-33317-2.patch new file mode 100644 index 00000000..f77ca4bc --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-os/CVE-2026-33317-2.patch @@ -0,0 +1,52 @@ +From 7e57efa90820489f123708f8ae5ee13706e8f4ce Mon Sep 17 00:00:00 2001 +From: Etienne Carriere +Date: Wed, 21 Jan 2026 13:58:09 +0100 +Subject: [PATCH 2/3] ta: pkcs11: check template consistency on get attribute + value + +Check client template holds consistent attribute area sizes +value on PKCS11_CMD_GET_ATTRIBUTE_SIZE. + +CVE: CVE-2026-33317 +Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900] + +Fixes: 783c1515c2f9 ("ta: pkcs11: Add support for getting object size and attribute value") +Signed-off-by: Etienne Carriere +Reviewed-by: Jens Wiklander +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + ta/pkcs11/src/object.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/ta/pkcs11/src/object.c b/ta/pkcs11/src/object.c +index ba3be7a71..470eeb247 100644 +--- a/ta/pkcs11/src/object.c ++++ b/ta/pkcs11/src/object.c +@@ -840,12 +840,23 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client, + for (; cur < end; cur += len) { + struct pkcs11_attribute_head *cli_ref = (void *)cur; + struct pkcs11_attribute_head cli_head = { }; ++ uintptr_t cli_end = 0; + void *data_ptr = NULL; + ++ if ((char *)(cli_ref + 1) > end) { ++ rc = PKCS11_CKR_ARGUMENTS_BAD; ++ goto out; ++ } ++ + /* Make copy of header so that is aligned properly. */ + TEE_MemMove(&cli_head, cli_ref, sizeof(cli_head)); + +- len = sizeof(*cli_ref) + cli_head.size; ++ if (ADD_OVERFLOW(sizeof(*cli_ref), cli_head.size, &len) || ++ ADD_OVERFLOW((uintptr_t)cur, len, &cli_end) || ++ (char *)cli_end > end) { ++ rc = PKCS11_CKR_ARGUMENTS_BAD; ++ goto out; ++ } + + /* Treat hidden attributes as missing attributes */ + if (attribute_is_hidden(&cli_head)) { +-- +2.43.0 + diff --git a/meta-arm/recipes-security/optee/optee-os/CVE-2026-33317-3.patch b/meta-arm/recipes-security/optee/optee-os/CVE-2026-33317-3.patch new file mode 100644 index 00000000..2481a81c --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-os/CVE-2026-33317-3.patch @@ -0,0 +1,46 @@ +From 75c1a999d6b51520234276b207ceefbd5e18ed02 Mon Sep 17 00:00:00 2001 +From: Etienne Carriere +Date: Wed, 21 Jan 2026 14:03:26 +0100 +Subject: [PATCH 3/3] ta: pkcs11: fix attribute output size if too small on get + attribute value + +Correct the size field output value for attributes fetched with +PKCS11_CMD_GET_ATTRIBUTE_VALUE where a too short buffer was provided. +As per the PKCS#11 specification, in such case, the related attributes +size field should be filled with CK_UNAVAILABLE_INFORMATION and the +function to return an non-true-error code like CKR_BUFFER_TOO_SMALL. +The implementation complied for the return value but was loading the +required attribute data value size instead in CK_UNAVAILABLE_INFORMATION +in the attribute size field. + +CVE: CVE-2026-33317 +Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca] + +Fixes: 783c1515c2f9 ("ta: pkcs11: Add support for getting object size and attribute value") +Signed-off-by: Etienne Carriere +Reviewed-by: Jens Wiklander +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + ta/pkcs11/src/object.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ta/pkcs11/src/object.c b/ta/pkcs11/src/object.c +index 470eeb247..ed2ce2a95 100644 +--- a/ta/pkcs11/src/object.c ++++ b/ta/pkcs11/src/object.c +@@ -900,8 +900,11 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client, + attr_type_invalid = 1; + break; + case PKCS11_CKR_BUFFER_TOO_SMALL: +- if (data_ptr) ++ if (data_ptr) { ++ cli_head.size = ++ PKCS11_CK_UNAVAILABLE_INFORMATION; + buffer_too_small = 1; ++ } + break; + default: + rc = PKCS11_CKR_GENERAL_ERROR; +-- +2.43.0 + diff --git a/meta-arm/recipes-security/optee/optee-os_4.1.0.bb b/meta-arm/recipes-security/optee/optee-os_4.1.0.bb index bfb61eb2..1846baf0 100644 --- a/meta-arm/recipes-security/optee/optee-os_4.1.0.bb +++ b/meta-arm/recipes-security/optee/optee-os_4.1.0.bb @@ -7,4 +7,7 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRCREV = "18b424c23aa5a798dfe2e4d20b4bde3919dc4e99" SRC_URI += " \ file://0003-optee-enable-clang-support.patch \ + file://CVE-2026-33317-1.patch \ + file://CVE-2026-33317-2.patch \ + file://CVE-2026-33317-3.patch \ " From patchwork Thu May 21 09:46:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugo Simeliere X-Patchwork-Id: 88563 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94408CD5BA4 for ; Thu, 21 May 2026 09:47:07 +0000 (UTC) Received: from mx-relay30-hz12-if1.hornetsecurity.com (mx-relay30-hz12-if1.hornetsecurity.com [94.100.139.230]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32963.1779356818943395820 for ; Thu, 21 May 2026 02:46:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=f+kER4Fo; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.230, mailfrom: hsimeliere@witekio.com) Received: from mail-northeuropeazon11022117.outbound.protection.outlook.com ([52.101.66.117]) by mx-gate30-hz12; Thu, 21 May 2026 11:46:55 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gjw0K4soQjzbPk9m+xc9OT/uYTobeZGkJecvD+XwvYaQE/B/pXnowYJJ1ON9Y2vRAJ1XUQp82npfRpSTTtSlTxKgbu9W0cRhjXNx3zMPgit3j1WCE4U44Pmjy4akKZ3duXogojKy8iPa03RYiBMoGVbU/tiMbcnt23sJiVAUYmvo7mT5M7B3keQW7Ko01OlXZ08DD5cmBaQ8WW2RhulrK5dCmhTb3Wkdrzili5NIoBO7g+gygDdq7XKZy5IgrRik/+uaj++i1gu9XH0pw9LJ05aQZlISNeQHXPKplsliGDW9WYyIw4jxWjQd9phVWLMy1vnAtuuNrSVa63akuBNuYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zVk9spNksUO4l9QAiiBSDhumyue/MVnQvStv0+DIy9M=; b=LELDO6k0yVUZKjh08TUQjpGsOsGEwJK5fiQa0fWuCKHHcgKXm/Tgl3jap6yTJBovzhuojul5aMPFieXeEv2NZqoP2wdply93QXvqa4cWVlYC27x8YB0uqtQTqjbje01LlZ0jxETNcuLDTH+eteNKcNpREP+TOlFCaP9sVKBIcHNYPtNqJWyJ+wM1iRwZQFhPzfNuszxusUJG82bDwi+sglNvp3me693GMwDVpj78uF/RVi9qQsKLzn/aeGVRn6onKeV2cTRcHAmpvKl6dc+NX3csY0Mgud8XgRmM78qKUejj8fib6ySW2TnX6GrPygWOR1W2TIm/t1JRm8pOXGNNBg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zVk9spNksUO4l9QAiiBSDhumyue/MVnQvStv0+DIy9M=; b=f+kER4FoQNf65DhwJ/lzq3bMZkvPqhU/pXRGlpzRGdyRrFzL+iA8M6U+CkVetFf3WOeDP/sI1P57HRLqWuB9cLjoFvnw1XOWq0C1Ihc2kGamzkivH3IBgTp/QlKto1shoVFbCy/sbnsI1aie6Ua+GBxDGfI+tCnqswCs1TgxzIsW6gKb2ahVceSK0qN+/ZiTOdtJSV+zJHPtAX07dzRP1yTju5a8xbQl1QB24lOZb5W9J2C41E14kxEwS/ouyLpag7RyDaPLSMbJ4LYHD0GBpnlIjNLqMSDyWjysORIHYRNGjCwy95alSu0mHAArvKWKe8xakrH3RFvab2Xc74yvtQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) by DB4P192MB2786.EURP192.PROD.OUTLOOK.COM (2603:10a6:10:5e3::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.14; Thu, 21 May 2026 09:46:50 +0000 Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4]) by MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4%6]) with mapi id 15.21.0025.020; Thu, 21 May 2026 09:46:50 +0000 From: hsimeliere.opensource@witekio.com To: meta-arm@lists.yoctoproject.org Cc: "Hugo SIMELIERE (Schneider Electric)" , Bruno VERNAY Subject: [meta-arm][scarthgap][PATCH 2/2] optee-os: Fix CVE-2026-33662 Date: Thu, 21 May 2026 11:46:26 +0200 Message-ID: <20260521094626.3365952-2-hsimeliere.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260521094626.3365952-1-hsimeliere.opensource@witekio.com> References: <20260521094626.3365952-1-hsimeliere.opensource@witekio.com> X-ClientProxiedBy: LO4P302CA0031.GBRP302.PROD.OUTLOOK.COM (2603:10a6:600:317::18) To MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MRWP192MB3504:EE_|DB4P192MB2786:EE_ X-MS-Office365-Filtering-Correlation-Id: 8a8196d6-3187-44bf-7825-08deb71de1b4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|10070799003|52116014|376014|366016|1800799024|3023799007|22082099003|18002099003|56012099003|13003099007; X-Microsoft-Antispam-Message-Info: kDnD6ad1/3F63/UWx2dMum3ZM0/CS0c1AmmQDsIDsSBO1NJORyE6kPByCMAeluFFr1yyvVtjmuAKNzy2pItQtskuTxwqNQrc6YN64aFB5qHNbqe5NwDR1a5F17qfBdAhyEwjL5r/oX1nxmYaSh9djOxgMhu3FNGgRPpSicLj+trI92eBKiV+O06aVKwFF79GhtcMdfcnbvJq0QW37sAl8lSdRFCeHx50KzUbFTf8Ae9QLQwwscH5twJsFphd86KLcjoV6qc29k0rmYhT+jm/mmDRX7XwTH/Du1tkV1Hs/9y/nJFxbxULJ3juA/cPJNarzNqxyRok5Z+TfTJIQTTtDEczxsZ3+DDxs7fh4bff7YNezUr5/Yv5ZxLQCOTnVGOg3skH+UJNcDNsqKblqYmQuhlVOeq3fUfn8B6Ap3dZ+DGHDQHUPELP4BfolPvgXxKr5mD/e3CS8q7PnyegaVdO9mEjkZsMIrP22AdEht1uSxl5zdBS0g7H2WF7vfmGidUJ60+orvlbBI8j3aNBw1A2B0dJ8Zk4LzsEkYDpLV6YD9t8KFirNO8OrHbQEBIhkgclyvjvCfEFLCkyzIs03ZJ8/qu8bGeEGFRIPE4Dtb8O/ZURk2b9srToemDfgtCs5JKnGD6WHWTEcP6vsQc+Ig/JdmDQMnuEKQYv5QKM0dGr0zNOhrkYtvAwONsU6YHf5wz7oyNhdLPShBR2Min75lVp/w== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MRWP192MB3504.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(52116014)(376014)(366016)(1800799024)(3023799007)(22082099003)(18002099003)(56012099003)(13003099007);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2 X-MS-Exchange-AntiSpam-MessageData-0: w04pEeA+vlT7Ye4+tvHyT28tifateDZTlbKeMuomiNHZ3OBlIp2Hy+ZoN4C8lON7oYJD7RA9iXcM5Hq9BVkFT8uq79h0CLrRkNiFYgj8tlHabi5OwW5upZRoFKpsDaK3DY09rJAZ4EwhJJ3FG/hBde6I0U7q9GBEbsxragQeo1UZotKnJHoVhalDTiOpV3yo8WjGUKrju2jqAfFf9LoZbzQMZOIKvCQYzLKxEJO0AZFQ1RvBc8b8lZNi1p4JW6Nx09T8Yi1yyEbnqpTOzutWDo5p8w+6gwNp07KZb2bUoj2VNOmKGx1QPne+9dXfUoGSGIIdNeD0RVf3TRm3ndf1RJlwmp6TKU6r1z5RSg1mLfPsoFQvGWX+8Mfdkmi2FClUmVT0ld74R5XZB/U82GolInQtHBTrIV1I0GR+0VcIwwZRjmumA1ittIODDU+lJhqqwHDRIocUY5efbZBBrrfzaa48+M94myUMB0JgxGQ7YPPHh/bfOZCcV/NlAsviocxjW7qb5pWl6E48oon0g323D+urTOkJ7Ajupy4IhW8JpiU4mx67N5mOJjnzrKIGzhiGhLVc2DIbL/salVpVoeQK2OJR+I59vH3jWQokDxALepgjNQlP+KoMCui0KqgYHpujGV3ieouG1WO1PuwRv7d+ArRoRdwh7chmrlHdkFYGlUDbb3YDEFUeULESqklVKL6XXhzlGb5FeyVqI4TuKKxwS8ZTfa7YTxBcMjwkzLCPsHsfs25PsUSQSrluoKQX5Tldbwdm+6UZjMa0tf2AUzd07t27tcnhuTsZ6GEHASz8/S7bnLVjJ2m/L95GrVn3ZT7mOTJkvEptml/7X5zMsU+yv8br7wr75xMJBc75GKU96f3zv5JaZl9WHn7AGLJK0l8Cqci9TkxLFrf4Jvu7rJioGggLrtvNXkB1aLUP6Rg+IO/FH5IRZ2LQmZKtpFdoeXH53im+NJwgXhgULYJF7+1NJulDDCzsa4A/xqY/twdhD81IwZcDIrEqqO9953mu4STMp8jCj4FinoHLtr3KjkMO9uNxtgkUPbAjN1YB8V/Q3IfZ0+0GksB2PszheERDnH41MMXkn5KP9w17V04hMD5aZojcL5YK1CDd2GLU6L6oeJCV+/HQ5Xf5HHzARhSWEZ6AHifvKHdv13A0avND0gJ2iYPZrYD5sj0QVP9lHcKHFEFaJOCcPNSQqKij8JO8PCJiGE3xVXjeY2yurdSvduqQz4FDdsrn94qgSr5w8FPKj871ZepwL1VEv0CjQkiTCL6Kc/9eu7XkRGt+oL1tz6P1PpVUB97ToVye5Vhto5xYwYhTgpF6LkRKdIzBRsYWFrDeaLmi4s0lfDUUMD9ehN5oeaclLuiFwsXHO7epq5yS0BbmtCmUgvxc9VepUufJcsaQcHRyvAwygzf3l2dHTMkuTx56BQBHEYkyAoradtsnKT1km4yhDvmMS3dPo16B78CGaVNPyZIBh0u4W+CAJiWOIRwM5ucWXhwCz++X9fuN1rkL25f9ZMUTbr+BxBoMsmGz6+V48pvdwx+tHdv7CZL+tWDrArhh/t+m4P3bse2cz1mmcBXWClvOVTMvKXiSKWyakCo3gHDHzTx03HyJH1SoGzDkVw4MRJV/2RJ8QBGT3IhFFpgEc87hci8vLbmtVm6xtBDSmpthWAGSawchUzA2cMuYZTjvEJXvKrhXohY2kR5gnVBzIn/kkiIWY+JmkZz5DQ03FQBkvf5OwvfanKYZWeKKp4ktRl+0Bsw1wI4BpDjPR2XmE89iHaUjVdJEEIZxkpA7e2rs X-MS-Exchange-AntiSpam-MessageData-1: dJ2w7usjV5BX1Q== X-Exchange-RoutingPolicyChecked: lCW0Fw3h/dfe3k8BulNI26sSdTU5e/Pbu4ZD/9mek/1OXNXatJnqbo0QggfsnvYlgN3SRo+EMm0zutr2/5L5dDV2gqfTKRyiYfedqjolfLN+Sbw+0lsUk4I37z37nwZHMwfnnupurwOgdKnU6cRzPyy8chHtz7lYmAg0WWbADSQWP/Car1atdBUHaPSfa57lAEBTLccJ1mD1gWPWBPOk1vS3yNQ2OA4n/EzUzgAWUURzsNSnwpAqtE3rt0yNLO9ylC3dTm3QIHJqcvM9jykq0jbnynwiIXBVFBTRjthjEWEuo9IM1eRGioYckShakHgulc+3b7fakbZzHqpCcyzlOQ== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: X16Ay3oKUAV3bNMZk55JJ684zEWgtw7H/bR9YrMU1DTHnu9BBFzh3gSZPjg08ps6SKXFahkuJSRVrERTVImRVOUasaoK4aEIttKDXUeyIvviL4toe0Eb3fbxCite3jF4+c6FNHj+j8iyncJuf4rYq9BSoT4uil23E6SLSN2j7cFK4Z3KS1lBAe/sx7uvVsRYqxuKTr86qyBx7U78tk3eaC5Waq+JJ9xoCvLyzAFwg0aaIko1Prhi6bVO3/elA0ZhguyaItPWV3cmEuXPdgyRCLRgcD816Fr66DIVm2ZuHpCj0xmWvt0vFMwxBtcqH9a9tNtj1RTyMjzV2SmaN0TXIsx7ZNumQZCDlVRzDn9sR5pt5W7CbFwdVnL/Qu2o4ysyLArHcobFnil3tvn9HN2eZmF14Z35mSmyyv9ewwVzwEr4T5gkE30tyRXRK8aHqUrVnM+OBuuUVwo/IbDkPwkjKdvfggq5IbbynGlQ+X4PMacWObG56M2ae33aWChJniBSpKT6ELoOCqlUT295LuMc8HRbztoE26ww8FE+Llpl1jlefNxFeKwSoDVX1PRkEau7z3cKsZXyO3rAsm68TVRu4nAsaSwSgb5vIK/En4ZTtieI3Epa8ddJ//Q4oVFTjdYd X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8a8196d6-3187-44bf-7825-08deb71de1b4 X-MS-Exchange-CrossTenant-AuthSource: MRWP192MB3504.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 09:46:50.2650 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 5BbjdB09p0sEcY2bzGJWeDrKvVJF3HVeemeRnLM48vpBEq8LJlYZQc7bc9QqYlNp6AQE6gINqnRRsgi8O4JoFQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4P192MB2786 X-cloud-security-sender: hsimeliere@witekio.com X-cloud-security-recipient: meta-arm@lists.yoctoproject.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: hsimeliere.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate30-hz12 with 4gLk8C4dxDzmbNn X-cloud-security-connect: mail-northeuropeazon11022117.outbound.protection.outlook.com[52.101.66.117], TLS=1, IP=52.101.66.117 X-cloud-security-Digest: eac5b412e937e7049adb0e848a69dda1 X-cloud-security: scantime:1.351 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 21 May 2026 09:47:07 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/7059 From: "Hugo SIMELIERE (Schneider Electric)" Pick patch from [1] as mentioned in OP-TEE os security report in [2]. [1] https://github.com/OP-TEE/optee_os/commit/caeaa2ae551666068894005387cca4113b10873f [2] https://github.com/OP-TEE/optee_os/security/advisories/GHSA-4cf8-v5g3-73gr Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY --- .../optee/optee-os/CVE-2026-33662.patch | 40 +++++++++++++++++++ .../recipes-security/optee/optee-os_4.1.0.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta-arm/recipes-security/optee/optee-os/CVE-2026-33662.patch diff --git a/meta-arm/recipes-security/optee/optee-os/CVE-2026-33662.patch b/meta-arm/recipes-security/optee/optee-os/CVE-2026-33662.patch new file mode 100644 index 00000000..4a427de6 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-os/CVE-2026-33662.patch @@ -0,0 +1,40 @@ +From 2fdf0aa10bd23c0e4633efa087a27ff07f79015f Mon Sep 17 00:00:00 2001 +From: Jens Wiklander +Date: Thu, 22 Jan 2026 14:19:36 +0100 +Subject: [PATCH] core: crypto_api: fix underflow in emsa_pkcs1_v1_5_encode() + +Guard against an integer underflow in emsa_pkcs1_v1_5_encode() that can +occur when calculating the padding field in the EMA-PKCS1-v1_5 encoding. + +CVE: CVE-2026-33662 +Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/caeaa2ae551666068894005387cca4113b10873f] + +Fixes: f5a70e3efb80 ("drivers: crypto: generic resources for crypto device driver - RSA") +Signed-off-by: Jens Wiklander +Reviewed-by: Jerome Forissier +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + core/drivers/crypto/crypto_api/acipher/rsassa.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/core/drivers/crypto/crypto_api/acipher/rsassa.c b/core/drivers/crypto/crypto_api/acipher/rsassa.c +index 0f71b84cc..01f8d7dc9 100644 +--- a/core/drivers/crypto/crypto_api/acipher/rsassa.c ++++ b/core/drivers/crypto/crypto_api/acipher/rsassa.c +@@ -45,9 +45,10 @@ static TEE_Result emsa_pkcs1_v1_5_encode(struct drvcrypt_rsa_ssa *ssa_data, + * Calculate the PS size + * EM Size (modulus size) - 3 bytes - DigestInfo DER format size + */ +- ps_size = ssa_data->key.n_size - 3; +- ps_size -= ssa_data->digest_size; +- ps_size -= 10 + hash_oid->asn1_length; ++ if (SUB_OVERFLOW(ssa_data->key.n_size, 3, &ps_size) || ++ SUB_OVERFLOW(ps_size, ssa_data->digest_size, &ps_size) || ++ SUB_OVERFLOW(ps_size, 10 + hash_oid->asn1_length, &ps_size)) ++ return TEE_ERROR_BAD_PARAMETERS; + + CRYPTO_TRACE("PS size = %zu (n %zu)", ps_size, ssa_data->key.n_size); + +-- +2.43.0 + diff --git a/meta-arm/recipes-security/optee/optee-os_4.1.0.bb b/meta-arm/recipes-security/optee/optee-os_4.1.0.bb index 1846baf0..7d948959 100644 --- a/meta-arm/recipes-security/optee/optee-os_4.1.0.bb +++ b/meta-arm/recipes-security/optee/optee-os_4.1.0.bb @@ -10,4 +10,5 @@ SRC_URI += " \ file://CVE-2026-33317-1.patch \ file://CVE-2026-33317-2.patch \ file://CVE-2026-33317-3.patch \ + file://CVE-2026-33662.patch \ "