Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: NULL Pointer Dereference in the function TEE_MACCompareFinal #80

Closed
c01dkit opened this issue Sep 16, 2022 · 0 comments · Fixed by #87
Closed

Security: NULL Pointer Dereference in the function TEE_MACCompareFinal #80

c01dkit opened this issue Sep 16, 2022 · 0 comments · Fixed by #87

Comments

@c01dkit
Copy link

c01dkit commented Sep 16, 2022

Affected components:

affected source code file: /tee/lib/libutee/tee_api_objects.c, affected functions: TEE_MACCompareFinal

Attack vector(s)

To exploit the vulnerability, invoke the function TEE_MACCompareFinal and pass a NULL pointer to the parameter "operation".

Suggested description of the vulnerability for use in the CVE

Null pointer dereference vulnerablity in TEE_MACCompareFinal function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_MACCompareFinal with a Null pointer of the parameter "operation".

Discoverer(s)/Credits

SyzTrust

Reference(s)

https://github.com/Samsung/mTower

if (operation->info.operationClass != TEE_OPERATION_MAC) {

Additional information

The TEE_MACCompareFinal function takes a pointer "operation". This value is passed by TA, and TEE_MACCompareFinal does not check whether it is a null pointer or not. Executing the statement "if (operation->info.operationClass != TEE_OPERATION_MAC)" later will crash the trusted execution environment kernel and cause a Denial of Service (DoS).

THANK YOU FOR CONTRIBUTIONS IN MTOWER TEE OS!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant