Advisory TFMV-9
Title |
FWU does not check the length of the TLV’s payload |
|---|---|
CVE ID |
|
Public Disclosure Date |
Jul 21, 2025 |
Versions Affected |
|
Configurations |
Any with Firmware Update (FWU) partition enabled |
Impact |
A Type-Length-Value (TLV) payload can be larger than the image dependency resulting in out-of-bounds write |
Fix Version |
|
Credits |
Bartek Piekarski Distinguished Engineer, Product Security, Arm Ltd. |
Background
In Firmware Update partition, the fwu_bootloader_install_image() function
checks the authenticity and integrity of the image candidates.
For each image candidate, its dependencies are loaded and when criteria are met,
the candidate image is staged.
During the dependencies check, the length of the image dependency fetched from
the TLV is not verified, and this could lead to overflow in read and write from
memory in subsequent steps.
Impact
An incorrect and unchecked TLV data can result in accessing the reading and writing memory for the candidate images that goes beyond the bounds, possibly causing in a redirection of program execution.
Mitigation
Add a length check in the fwu_bootloader_install_image() immediately after
the next TLV is found by bootutil_tlv_iter_next(), during the dependencies
fetch.
See commit 6d074b68d3eb3e34038c1b074a68d92a8fea3f82.
SPDX-License-Identifier: BSD-3-Clause
SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors