To exploit the vulnerability, invoke the function TEE_Realloc and pass a large number to the parameter "len".
Suggested description of the vulnerability for use in the CVE
Memory Allocation with Excessive Size Value vulnerablity in TEE_Realloc function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_Realloc with an excessive number of the parameter "len".
The function TEE_Realloc does not check the size of chunk to realloc. Executing the statement "tee_user_mem_realloc" with an excessive size value on a real IoT hardware (such as Numaker-PFM-M2351) will crash the trusted execution environment kernel and cause a Denial of Service (DoS).
THANK YOU FOR CONTRIBUTIONS IN MTOWER TEE OS!
The text was updated successfully, but these errors were encountered:
Affected components:
affected source code file: /tee/lib/libutee/tee_api.c, affected functions: TEE_Realloc
Attack vector(s)
To exploit the vulnerability, invoke the function TEE_Realloc and pass a large number to the parameter "len".
Suggested description of the vulnerability for use in the CVE
Memory Allocation with Excessive Size Value vulnerablity in TEE_Realloc function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_Realloc with an excessive number of the parameter "len".
Discoverer(s)/Credits
SyzTrust
Reference(s)
https://github.com/Samsung/mTower
mTower/tee/lib/libutee/tee_api.c
Line 319 in efd3670
Additional information
The function TEE_Realloc does not check the size of chunk to realloc. Executing the statement "tee_user_mem_realloc" with an excessive size value on a real IoT hardware (such as Numaker-PFM-M2351) will crash the trusted execution environment kernel and cause a Denial of Service (DoS).
THANK YOU FOR CONTRIBUTIONS IN MTOWER TEE OS!
The text was updated successfully, but these errors were encountered: