Security: Memory Allocation with Excessive Size Value in the function TEE_Malloc #74
Comments
|
Thanks for the analysis. I will check your issues. If you have ideas for fix, please create PRs |
9 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Affected components:
affected source code file: /tee/lib/libutee/tee_api.c, affected functions: TEE_Malloc
Attack vector(s)
To exploit the vulnerability, invoke the function TEE_Malloc and pass a large number to the parameter "len".
Suggested description of the vulnerability for use in the CVE
Memory Allocation with Excessive Size Value vulnerablity in TEE_Malloc function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_Malloc with an excessive number of the parameter "len".
Discoverer(s)/Credits
SyzTrust
Reference(s)
https://github.com/Samsung/mTower
mTower/tee/lib/libutee/tee_api.c
Line 314 in 18f4b59
Additional information
The TEE_Malloc does not check the size of chunk to malloc. Executing the statement "tee_user_mem_alloc" with an excessive size value on a real IoT hardware (such as Numaker-PFM-M2351) will crash the trusted execution environment kernel and cause a Denial of Service (DoS).
Contact
c01dkit@outlook.com
The text was updated successfully, but these errors were encountered: