You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
affected source code file: /tee/lib/libutee/tee_api_objects.c, affected functions: TEE_PopulateTransientObject and __utee_from_attr
Attack vector(s)
To exploit the vulnerability, invoke the function TEE_PopulateTransientObject and pass a large number of the parameter "attrCount"
Suggested description of the vulnerability for use in the CVE
Memory leak in TEE_PopulateTransientObject and __utee_from_attr functions in Samsung Electronics mTower v0.3.0(and earlier) allows a trusted application to trigger denial of service and information disclosure via invoking the function TEE_PopulateTransientObject with a large number of the parameter "attrCount".
The TEE_PopulateTransientObject function takes a number "attrCount" and create an array "ua". This value is passed by TA, and TEE_PopulateTransientObject does not check its size. Then it is passed to __utee_from_attr. The __utee_from_attr function tries to copy data from "attrs" to "ua". The problem appears in the assignments in the for loop. If the attr_count is too large, "ua" will overlap the memory region of other TAs' (tampering data such as global variables, or causing TEE crash and triggers denial of service because of illegal address dereference).
Affected components:
affected source code file: /tee/lib/libutee/tee_api_objects.c, affected functions: TEE_PopulateTransientObject and __utee_from_attr
Attack vector(s)
To exploit the vulnerability, invoke the function TEE_PopulateTransientObject and pass a large number of the parameter "attrCount"
Suggested description of the vulnerability for use in the CVE
Memory leak in TEE_PopulateTransientObject and __utee_from_attr functions in Samsung Electronics mTower v0.3.0(and earlier) allows a trusted application to trigger denial of service and information disclosure via invoking the function TEE_PopulateTransientObject with a large number of the parameter "attrCount".
Reference(s)
https://github.com/Samsung/mTower
mTower/tee/lib/libutee/tee_api_objects.c
Line 283 in 18f4b59
Additional information
The TEE_PopulateTransientObject function takes a number "attrCount" and create an array "ua". This value is passed by TA, and TEE_PopulateTransientObject does not check its size. Then it is passed to __utee_from_attr. The __utee_from_attr function tries to copy data from "attrs" to "ua". The problem appears in the assignments in the for loop. If the attr_count is too large, "ua" will overlap the memory region of other TAs' (tampering data such as global variables, or causing TEE crash and triggers denial of service because of illegal address dereference).
Contact
c01dkit@outlook.com
The text was updated successfully, but these errors were encountered: