The size bytes represented in member in_size[] of psa_msg_t is for recording the total input vector size and are expected to be constant during the message lifecycle.
While the SFN backend reduces it after successful psa_read and psa_skip calls.
Background
The Secure Functions of RoT Services are called by the SPM when the client makes a request to the service with an input pointer to struct psa_msg_t.
The psa_msg_t struct contains an in_size[] field which contains the sizes of the invec provided by the client.
RoT Services determine how much data is available to read based on this attribute.
This in_size[] should not be changed during the call to the RoT Services.
However, the SPM changes the values of in_size[] to the data size remaining after a psa_read or psa_skip call directly on the psa_msg_t passed to the RoT Services.
The SPM does this to record the size of the remaining data.
This makes the update on in_size[] visible to RoT Services as well.
Note that the IPC backend SPM is unaffected as Secure Partitions always have local copies of messages.
Impacts
This defect would cause errors when the RoT Services assume the in_size[] is not changed after a call to psa_read or psa_skip, for example:
- A RoT Service reads all the input data with a single psa_read call and uses the in_size[] to check whether the size of the data read is as expected, then it would get a wrong result from the check.
Because the in_size[] has been set to 0 by the SPM as all data has been read.
- A RoT Service reads the same input date multiple times and calculates the remaining size between, using the in_size. It gets the wrong size.
Workaround
Record the initial value before the psa_read or psa_skip in a local variable can workaround the issue.
Do not rely on the in_size[] values after any call to psa_read or psa_skip.