To exploit the vulnerability, invoke the function TEE_MACUpdate and pass an excessive size value of "chunkSize".
Suggested description of the vulnerability for use in the CVE
Buffer Access with Incorrect Length Value vulnerablity in TEE_MACUpdate function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_MACUpdate with a excessive size value of "chunkSize".
memcpy(md-> state_var .buf + md-> state_var.curlen, in, (size_t)n); \
Additional information
The TEE_MACUpdate function takes an argument "chunkSize". This value is passed by TA, and TEE_MACUpdate does not check whether it is equal to the size of "chunk" or not. With an excessive large value, executing the statement "memcpy(md-> state_var .buf + md-> state_var.curlen, in, (size_t)n);" later may crash the trusted execution environment kernel and cause a Denial of Service (DoS).
Buffer Access with Incorrect Length Value in the function TEE_MACComputeFinal
To exploit the vulnerability, invoke the function TEE_MACComputeFinal and pass an excessive size value of "messageLen".
Suggested description of the vulnerability for use in the CVE
Buffer Access with Incorrect Length Value vulnerablity in TEE_MACComputeFinal function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_MACComputeFinal with a excessive size value of "messageLen".
res = utee_cipher_update(operation->state, srcData,
Additional information
The TEE_MACComputeFinal function takes an argument "messageLen". This value is passed by TA, and TEE_MACComputeFinal does not check whether it is the size of "message" or not. With an excessive large value, executing the statement "res = utee_cipher_update(operation->state, srcData, srcLen, destData, &dl);" later will crash the trusted execution environment kernel and cause a Denial of Service (DoS).
Buffer Access with Incorrect Length Value in the function TEE_CipherUpdate
To exploit the vulnerability, invoke the function TEE_CipherUpdate and pass an excessive size value of "srcLen".
Suggested description of the vulnerability for use in the CVE
Buffer Access with Incorrect Length Value vulnerablity in TEE_CipherUpdate function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_CipherUpdate with a excessive size value of "srcLen".
res = utee_hash_final(operation->state, message, messageLen, mac, &ml);
Additional information
The TEE_CipherUpdate function takes an argument "srcLen". This value is passed by TA, and TEE_CipherUpdate does not check whether it is the size of "srcData" or not. With an excessive large value, executing the statement "res = utee_hash_final(operation->state, message, messageLen, mac, &ml);" later will crash the trusted execution environment kernel and cause a Denial of Service (DoS).
THANK YOU FOR CONTRIBUTIONS IN MTOWER TEE OS!
The text was updated successfully, but these errors were encountered:
Buffer Access with Incorrect Length Value in the function TEE_MACUpdate
Affected components:
affected source code file: /tee/lib/libutee/tee_api_objects.c, affected functions: TEE_MACUpdate
Attack vector(s)
To exploit the vulnerability, invoke the function TEE_MACUpdate and pass an excessive size value of "chunkSize".
Suggested description of the vulnerability for use in the CVE
Buffer Access with Incorrect Length Value vulnerablity in TEE_MACUpdate function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_MACUpdate with a excessive size value of "chunkSize".
Discoverer(s)/Credits
SyzTrust
Reference(s)
https://github.com/Samsung/mTower
mTower/tee/lib/libutee/tee_api_operations.c
Line 1188 in efd3670
mTower/crypto/libtomcrypt/include/tomcrypt_hash.h
Line 397 in efd3670
Additional information
The TEE_MACUpdate function takes an argument "chunkSize". This value is passed by TA, and TEE_MACUpdate does not check whether it is equal to the size of "chunk" or not. With an excessive large value, executing the statement "memcpy(md-> state_var .buf + md-> state_var.curlen, in, (size_t)n);" later may crash the trusted execution environment kernel and cause a Denial of Service (DoS).
Buffer Access with Incorrect Length Value in the function TEE_MACComputeFinal
Affected components:
affected source code file: /tee/lib/libutee/tee_api_objects.c, affected functions: TEE_MACComputeFinal
Attack vector(s)
To exploit the vulnerability, invoke the function TEE_MACComputeFinal and pass an excessive size value of "messageLen".
Suggested description of the vulnerability for use in the CVE
Buffer Access with Incorrect Length Value vulnerablity in TEE_MACComputeFinal function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_MACComputeFinal with a excessive size value of "messageLen".
Discoverer(s)/Credits
SyzTrust
Reference(s)
https://github.com/Samsung/mTower
mTower/tee/lib/libutee/tee_api_operations.c
Line 1031 in efd3670
Additional information
The TEE_MACComputeFinal function takes an argument "messageLen". This value is passed by TA, and TEE_MACComputeFinal does not check whether it is the size of "message" or not. With an excessive large value, executing the statement "res = utee_cipher_update(operation->state, srcData, srcLen, destData, &dl);" later will crash the trusted execution environment kernel and cause a Denial of Service (DoS).
Buffer Access with Incorrect Length Value in the function TEE_CipherUpdate
Affected components:
affected source code file: /tee/lib/libutee/tee_api_objects.c, affected functions: TEE_CipherUpdate
Attack vector(s)
To exploit the vulnerability, invoke the function TEE_CipherUpdate and pass an excessive size value of "srcLen".
Suggested description of the vulnerability for use in the CVE
Buffer Access with Incorrect Length Value vulnerablity in TEE_CipherUpdate function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_CipherUpdate with a excessive size value of "srcLen".
Discoverer(s)/Credits
SyzTrust
Reference(s)
https://github.com/Samsung/mTower
mTower/tee/lib/libutee/tee_api_operations.c
Line 1224 in efd3670
Additional information
The TEE_CipherUpdate function takes an argument "srcLen". This value is passed by TA, and TEE_CipherUpdate does not check whether it is the size of "srcData" or not. With an excessive large value, executing the statement "res = utee_hash_final(operation->state, message, messageLen, mac, &ml);" later will crash the trusted execution environment kernel and cause a Denial of Service (DoS).
THANK YOU FOR CONTRIBUTIONS IN MTOWER TEE OS!
The text was updated successfully, but these errors were encountered: