Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Buffer Access with Incorrect Length Value in TEE_MACUpdate, TEE_MACComputeFinal and TEE_CipherUpdate #81

Closed
c01dkit opened this issue Sep 16, 2022 · 0 comments · Fixed by #90

Comments

@c01dkit
Copy link

c01dkit commented Sep 16, 2022

Buffer Access with Incorrect Length Value in the function TEE_MACUpdate

Affected components:

affected source code file: /tee/lib/libutee/tee_api_objects.c, affected functions: TEE_MACUpdate

Attack vector(s)

To exploit the vulnerability, invoke the function TEE_MACUpdate and pass an excessive size value of "chunkSize".

Suggested description of the vulnerability for use in the CVE

Buffer Access with Incorrect Length Value vulnerablity in TEE_MACUpdate function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_MACUpdate with a excessive size value of "chunkSize".

Discoverer(s)/Credits

SyzTrust

Reference(s)

https://github.com/Samsung/mTower

res = utee_hash_update(operation->state, chunk, chunkSize);

memcpy(md-> state_var .buf + md-> state_var.curlen, in, (size_t)n); \

Additional information

The TEE_MACUpdate function takes an argument "chunkSize". This value is passed by TA, and TEE_MACUpdate does not check whether it is equal to the size of "chunk" or not. With an excessive large value, executing the statement "memcpy(md-> state_var .buf + md-> state_var.curlen, in, (size_t)n);" later may crash the trusted execution environment kernel and cause a Denial of Service (DoS).


Buffer Access with Incorrect Length Value in the function TEE_MACComputeFinal

Affected components:

affected source code file: /tee/lib/libutee/tee_api_objects.c, affected functions: TEE_MACComputeFinal

Attack vector(s)

To exploit the vulnerability, invoke the function TEE_MACComputeFinal and pass an excessive size value of "messageLen".

Suggested description of the vulnerability for use in the CVE

Buffer Access with Incorrect Length Value vulnerablity in TEE_MACComputeFinal function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_MACComputeFinal with a excessive size value of "messageLen".

Discoverer(s)/Credits

SyzTrust

Reference(s)

https://github.com/Samsung/mTower

res = utee_cipher_update(operation->state, srcData,

Additional information

The TEE_MACComputeFinal function takes an argument "messageLen". This value is passed by TA, and TEE_MACComputeFinal does not check whether it is the size of "message" or not. With an excessive large value, executing the statement "res = utee_cipher_update(operation->state, srcData, srcLen, destData, &dl);" later will crash the trusted execution environment kernel and cause a Denial of Service (DoS).


Buffer Access with Incorrect Length Value in the function TEE_CipherUpdate

Affected components:

affected source code file: /tee/lib/libutee/tee_api_objects.c, affected functions: TEE_CipherUpdate

Attack vector(s)

To exploit the vulnerability, invoke the function TEE_CipherUpdate and pass an excessive size value of "srcLen".

Suggested description of the vulnerability for use in the CVE

Buffer Access with Incorrect Length Value vulnerablity in TEE_CipherUpdate function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_CipherUpdate with a excessive size value of "srcLen".

Discoverer(s)/Credits

SyzTrust

Reference(s)

https://github.com/Samsung/mTower

res = utee_hash_final(operation->state, message, messageLen, mac, &ml);

Additional information

The TEE_CipherUpdate function takes an argument "srcLen". This value is passed by TA, and TEE_CipherUpdate does not check whether it is the size of "srcData" or not. With an excessive large value, executing the statement "res = utee_hash_final(operation->state, message, messageLen, mac, &ml);" later will crash the trusted execution environment kernel and cause a Denial of Service (DoS).

THANK YOU FOR CONTRIBUTIONS IN MTOWER TEE OS!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant