Security: Memory Leak in the function TEE_PopulateTransientObject

[c01dkit]

Affected components：

affected source code file: /tee/lib/libutee/tee_api_objects.c, affected functions: TEE_PopulateTransientObject and __utee_from_attr

Attack vector(s)

To exploit the vulnerability, invoke the function TEE_PopulateTransientObject and pass a large number of the parameter "attrCount"

Suggested description of the vulnerability for use in the CVE

Memory leak in TEE_PopulateTransientObject and __utee_from_attr functions in Samsung Electronics mTower v0.3.0(and earlier) allows a trusted application to trigger denial of service and information disclosure via invoking the function TEE_PopulateTransientObject with a large number of the parameter "attrCount".

Reference(s)

https://github.com/Samsung/mTower

mTower/tee/lib/libutee/tee_api_objects.c

Line 283 in 18f4b59

TEE_Result TEE_PopulateTransientObject(TEE_ObjectHandle object,

Additional information

The TEE_PopulateTransientObject function takes a number "attrCount" and create an array "ua". This value is passed by TA, and TEE_PopulateTransientObject does not check its size. Then it is passed to __utee_from_attr. The __utee_from_attr function tries to copy data from "attrs" to "ua". The problem appears in the assignments in the for loop. If the attr_count is too large, "ua" will overlap the memory region of other TAs' (tampering data such as global variables, or causing TEE crash and triggers denial of service because of illegal address dereference).

Contact

c01dkit@outlook.com

[tdrozdovsky]

The issue will be reviewed and fixed as soon as possible.