Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Memory Allocation with Excessive Size Value in the function TEE_Realloc #82

Closed
c01dkit opened this issue Sep 16, 2022 · 0 comments · Fixed by #86
Closed

Security: Memory Allocation with Excessive Size Value in the function TEE_Realloc #82

c01dkit opened this issue Sep 16, 2022 · 0 comments · Fixed by #86

Comments

@c01dkit
Copy link

c01dkit commented Sep 16, 2022

Affected components:

affected source code file: /tee/lib/libutee/tee_api.c, affected functions: TEE_Realloc

Attack vector(s)

To exploit the vulnerability, invoke the function TEE_Realloc and pass a large number to the parameter "len".

Suggested description of the vulnerability for use in the CVE

Memory Allocation with Excessive Size Value vulnerablity in TEE_Realloc function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_Realloc with an excessive number of the parameter "len".

Discoverer(s)/Credits

SyzTrust

Reference(s)

https://github.com/Samsung/mTower

void *TEE_Realloc(const void *buffer, uint32_t newSize)

Additional information

The function TEE_Realloc does not check the size of chunk to realloc. Executing the statement "tee_user_mem_realloc" with an excessive size value on a real IoT hardware (such as Numaker-PFM-M2351) will crash the trusted execution environment kernel and cause a Denial of Service (DoS).

THANK YOU FOR CONTRIBUTIONS IN MTOWER TEE OS!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant