Summary
HAL_HASH_Start_IT() does not validate pInBuffer before storing and later dereferencing it in interrupt-driven processing. Passing a NULL input buffer with a non-zero size can trigger a hard fault / crash.
This appears to be an improper input validation issue (CWE-20).
Affected Function
|
HAL_StatusTypeDef HAL_HASH_Start_IT(HASH_HandleTypeDef *hhash, const uint8_t *const pInBuffer, uint32_t Size, |
HAL_StatusTypeDef HAL_HASH_Start_IT(
HASH_HandleTypeDef *hhash,
const uint8_t *const pInBuffer,
uint32_t Size,
uint8_t *const pOutBuffer)
Root Cause
HAL_HASH_Start_IT() validates hhash but does not validate pInBuffer.
Relevant code:
if (hhash == NULL)
{
return HAL_ERROR;
}
hhash->pHashInBuffPtr = pInBuffer;
The pointer is later dereferenced in HASH_WriteData_IT() without validation:
__IO uint32_t inputaddr = (uint32_t)(hhash->pHashInBuffPtr);
hhash->Instance->DIN = *(uint32_t *)inputaddr;
If:
pInBuffer == NULL
Size > 0
then the code dereferences address 0x0, which can result in a hard fault or system crash.
Impact
This can cause denial of service via crash/hard fault when invalid parameters reach the HAL API.
Because the operation is interrupt-driven, the invalid pointer is stored in the handle state and later consumed asynchronously.
Reproduction
Example:
HAL_HASH_Start_IT(&hhash, NULL, 32, output);
This eventually reaches:
*(uint32_t *)0
inside HASH_WriteData_IT().
Suggested Fix
Validate pointer/size combinations before enabling interrupts or storing the pointers.
Example:
if ((hhash == NULL) ||
((pInBuffer == NULL) && (Size > 0U)) ||
(pOutBuffer == NULL))
{
return HAL_ERROR;
}
At minimum:
if ((pInBuffer == NULL) && (Size > 0U))
{
return HAL_ERROR;
}
Summary
HAL_HASH_Start_IT() does not validate pInBuffer before storing and later dereferencing it in interrupt-driven processing. Passing a NULL input buffer with a non-zero size can trigger a hard fault / crash.
This appears to be an improper input validation issue (CWE-20).
Affected Function
trusted-firmware-m/platform/ext/target/stm/common/stm32u3xx/hal/Src/stm32u3xx_hal_hash.c
Line 933 in 2b37dce
HAL_StatusTypeDef HAL_HASH_Start_IT(
HASH_HandleTypeDef *hhash,
const uint8_t *const pInBuffer,
uint32_t Size,
uint8_t *const pOutBuffer)
Root Cause
HAL_HASH_Start_IT() validates hhash but does not validate pInBuffer.
Relevant code:
if (hhash == NULL)
{
return HAL_ERROR;
}
hhash->pHashInBuffPtr = pInBuffer;
The pointer is later dereferenced in HASH_WriteData_IT() without validation:
__IO uint32_t inputaddr = (uint32_t)(hhash->pHashInBuffPtr);
hhash->Instance->DIN = *(uint32_t *)inputaddr;
If:
pInBuffer == NULL
Size > 0
then the code dereferences address 0x0, which can result in a hard fault or system crash.
Impact
This can cause denial of service via crash/hard fault when invalid parameters reach the HAL API.
Because the operation is interrupt-driven, the invalid pointer is stored in the handle state and later consumed asynchronously.
Reproduction
Example:
HAL_HASH_Start_IT(&hhash, NULL, 32, output);
This eventually reaches:
*(uint32_t *)0
inside HASH_WriteData_IT().
Suggested Fix
Validate pointer/size combinations before enabling interrupts or storing the pointers.
Example:
if ((hhash == NULL) ||
((pInBuffer == NULL) && (Size > 0U)) ||
(pOutBuffer == NULL))
{
return HAL_ERROR;
}
At minimum:
if ((pInBuffer == NULL) && (Size > 0U))
{
return HAL_ERROR;
}