## https://sploitus.com/exploit?id=1FD51FBC-55E5-5759-8474-D26B2C76ECF6
# CVE-2026-33317 OP-TEE PKCS#11 PoC
This repository contains the Normal World proof of concept, reproduction notes,
and captured logs for CVE-2026-33317 / GHSA-8cqw-mg7v-c9p9.
The official OP-TEE advisory describes missing validation in
`entry_get_attribute_value()` for `PKCS11_CMD_GET_ATTRIBUTE_VALUE`. The bug can
cause out-of-bounds reads from the PKCS#11 TA heap and, with a malformed
attribute template, writes beyond the temporary template buffer. This PoC
targets the out-of-bounds write case and demonstrates Secure World heap
corruption in the PKCS#11 TA.
- Advisory: https://github.com/OP-TEE/optee_os/security/advisories/GHSA-8cqw-mg7v-c9p9
- CVE: `CVE-2026-33317`
- Affected package: OP-TEE PKCS#11 TA
- Affected versions in advisory: `>= 3.13.0`
- Patched versions in advisory: `4.11` and later
- CVSS v3.1 in advisory: `8.7` High
- Weaknesses in advisory: `CWE-125`, `CWE-787`
Use this only in a local lab or another environment where you are authorized to
test OP-TEE.
## What Is In This Folder
The local working copy this README was prepared from was a flattened OP-TEE
QEMUv8 workspace. The `.repo` directory and all `.git` metadata files/directories
were removed, so that local archive is no longer usable with `repo sync` or
normal git history commands.
The GitHub repository intentionally excludes the bulky OP-TEE/QEMU source trees,
toolchains, and build outputs. Recreate those from `qemu-v8-setup.md`, or copy
the PoC files into an existing OP-TEE `qemu_v8` build root, before running the
automated QEMU reproduction from a fresh clone.
Important top-level files:
| Path | Purpose |
| --- | --- |
| `c01_poc.c` | AArch64 Normal World PoC using raw `libteec` calls |
| `build_poc.sh` | Cross-compiles `c01_poc.c` into `out/bin/c01_poc` |
| `run_c01.sh` | Boots QEMUv8 and runs the PoC through `expect` |
| `c01_check.exp` | Automates guest login, virtio-9p mount, and PoC execution |
| `out/bin/c01_nw.log` | Captured Normal World reproduction log |
| `out/bin/c01_sw.log` | Captured Secure World log with the PKCS#11 TA panic |
| `reproduction-log.md` | Full QEMUv8 reproduction notes |
| `qemu-v8-setup.md` | OP-TEE QEMUv8 setup and baseline validation notes |
| `C-01-reproduction.md` | Earlier ASAN harness notes; not the main runnable PoC in this folder |
The prepared local archive also had source/build directories such as `optee_os`,
`optee_client`, `qemu`, `linux`, `trusted-firmware-a`, `u-boot`, `buildroot`,
`out-br`, and `toolchains`; these are ignored for publication.
## Vulnerability Summary
In the vulnerable `optee_os` tree, `ta/pkcs11/src/object.c` iterates over a
client-supplied serialized attribute template:
```c
cur = (char *)template + sizeof(struct pkcs11_object_head);
end = cur + template->attrs_size;
...
data_ptr = cli_head.size ? cli_ref->data : NULL;
rc = get_attribute(obj->attributes, cli_head.id, data_ptr, &cli_head.size);
```
The loop does not prove that each attribute header and its data area are fully
inside the allocated template. The PoC sends:
- `attrs_size = 8`, exactly one `pkcs11_attribute_head` and no data bytes.
- `attrs_count = 1`.
- `cli_head.id = CKA_LABEL`.
- `cli_head.size = 16`, matching the created object's 16-byte label.
That creates a 16-byte template allocation:
```text
sizeof(pkcs11_object_head) + attrs_size = 8 + 8 = 16
```
`cli_ref->data` then points at `template + 16`, exactly one byte past the end of
the allocation. `get_attribute()` in `ta/pkcs11/src/attributes.c` sees that the
caller-provided size is large enough and copies the 16-byte label to that
out-of-bounds pointer, corrupting the PKCS#11 TA heap.
## Quick Start
Prerequisites used by the prepared QEMUv8 workspace:
- Linux x86-64 host
- `expect`
- An OP-TEE `qemu_v8` workspace with build outputs, toolchains, and QEMU binary
laid out like the local archive described in `qemu-v8-setup.md`
Build the PoC:
```bash
./build_poc.sh
```
Expected build result:
```text
Built: /home/bea1e/CVE-2026-33317/out/bin/c01_poc
```
Run the automated QEMUv8 reproduction:
```bash
./run_c01.sh
```
The wrapper checks for these staged files before booting:
- `out/bin/bl1.bin`
- `out/bin/Image`
- `out/bin/rootfs.cpio.gz`
- `out/bin/c01_poc`
If the build artifacts are missing, recreate/build the OP-TEE workspace first
and then rerun `./build_poc.sh`.
## Expected Result
The Normal World log should show the crafted request:
```text
[+] TEEC session with PKCS#11 TA opened
[+] INIT_TOKEN rc=0x00000000 OK
[+] OPEN_SESSION rc=0x00000000, session_handle=0x00000001
[+] CREATE_OBJECT rc=0x00000000, obj_handle=0x00000001
[+] Object has CKA_LABEL = "AAAAAAAAAAAAAAAA" (16 bytes)
[+] Sending malicious C_GetAttributeValue (attrs_size=8, cli_head.size=16)...
[+] GET_ATTRIBUTE_VALUE[0] rc=0xffffffff
```
The Secure World log should contain the allocator assertion and TA panic:
```text
E/TA: assertion 'BH((char *) b - b->bh.bsize)->prevfree == 0' failed at lib/libutils/isoc/bget.c:1022 in brel()
E/TC:? 0 TA panicked with code 0xffff0000
E/LD: Status of TA fd02c9da-306c-48c7-a49c-bbd827ae86ee
```
Captured logs from a successful run are already present at:
- `out/bin/c01_nw.log`
- `out/bin/c01_sw.log`
## PoC Flow
`c01_poc.c` invokes the PKCS#11 TA UUID
`fd02c9da-306c-48c7-a49c-bbd827ae86ee` through `libteec`:
1. Open a TEEC session with the PKCS#11 TA.
2. Initialize token slot 0.
3. Open an R/W PKCS#11 session.
4. Create an AES session object with `CKA_LABEL = "AAAAAAAAAAAAAAAA"`.
5. Send a malformed `CMD_GET_ATTRIBUTE_VALUE` request with `attrs_size = 8`
and `cli_head.size = 16`.
The first malicious request is enough to corrupt heap metadata. The TA then
panics when the OP-TEE bget allocator detects the corrupted block metadata.
## Notes
- `run_c01.sh` shares `out/bin` into the guest over virtio-9p and writes logs
back to the same directory.
- The staged boot artifact links in `out/bin` are relative links to artifacts
inside this folder.
- `C-01-reproduction.md` documents an earlier x86 ASAN harness approach. The
runnable PoC in this folder is the QEMUv8 TEEC PoC: `c01_poc.c`.
- Since repo metadata was removed, treat this directory as an archived PoC
workspace rather than an upstream-synchronized OP-TEE checkout.