You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To exploit the vulnerability, invoke the function TEE_Malloc and pass a large number to the parameter "len".
Suggested description of the vulnerability for use in the CVE
Memory Allocation with Excessive Size Value vulnerablity in TEE_Malloc function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_Malloc with an excessive number of the parameter "len".
The TEE_Malloc does not check the size of chunk to malloc. Executing the statement "tee_user_mem_alloc" with an excessive size value on a real IoT hardware (such as Numaker-PFM-M2351) will crash the trusted execution environment kernel and cause a Denial of Service (DoS).
Affected components:
affected source code file: /tee/lib/libutee/tee_api.c, affected functions: TEE_Malloc
Attack vector(s)
To exploit the vulnerability, invoke the function TEE_Malloc and pass a large number to the parameter "len".
Suggested description of the vulnerability for use in the CVE
Memory Allocation with Excessive Size Value vulnerablity in TEE_Malloc function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_Malloc with an excessive number of the parameter "len".
Discoverer(s)/Credits
SyzTrust
Reference(s)
https://github.com/Samsung/mTower
mTower/tee/lib/libutee/tee_api.c
Line 314 in 18f4b59
Additional information
The TEE_Malloc does not check the size of chunk to malloc. Executing the statement "tee_user_mem_alloc" with an excessive size value on a real IoT hardware (such as Numaker-PFM-M2351) will crash the trusted execution environment kernel and cause a Denial of Service (DoS).
Contact
c01dkit@outlook.com
The text was updated successfully, but these errors were encountered: