One way to exploit the vulnerability, invoking the function TEE_AllocateOperation and TEE_Realloc with a large size to disturb the heap layout, and invoke TEE_AllocateOperation again.
Suggested description of the vulnerability for use in the CVE
Improper Input Validation vulnerablity in the function tee_obj_free in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_AllocateOperation with a disturbed heap layout.
As shown in POC, the calloc function in tee_obj_alloc does not return a buffer with all bits zero as expected when the heap layout was disturbed in mTower on a real IoT hardware (such as Numaker-PFM-M2351). Executing the statement free(o->attr) then will free an invalid pointer, which will crash the trusted execution environment kernel and cause a Denial of Service (DoS).
Affected components:
affected source code file: /tee/tee/tee_svc_cryp.c, affected functions: utee_cryp_obj_alloc
affected source code file: /tee/tee/tee_obj.c, affected functions: tee_obj_alloc and tee_obj_free
Attack vector(s)
One way to exploit the vulnerability, invoking the function
TEE_AllocateOperationandTEE_Reallocwith a large size to disturb the heap layout, and invokeTEE_AllocateOperationagain.Suggested description of the vulnerability for use in the CVE
Improper Input Validation vulnerablity in the function
tee_obj_freein Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the functionTEE_AllocateOperationwith a disturbed heap layout.Discoverer(s)/Credits
SyzTrust
Reference(s)
https://github.com/Samsung/mTower
mTower/tee/tee/tee_svc_cryp.c
Line 1248 in efd3670
mTower/tee/tee/tee_obj.c
Line 109 in efd3670
Additional information
As shown in POC, the
callocfunction intee_obj_allocdoes not return a buffer with all bits zero as expected when the heap layout was disturbed in mTower on a real IoT hardware (such as Numaker-PFM-M2351). Executing the statementfree(o->attr)then will free an invalid pointer, which will crash the trusted execution environment kernel and cause a Denial of Service (DoS).PoC
poc_14.zip
THANK YOU FOR CONTRIBUTIONS IN MTOWER TEE OS!
The text was updated successfully, but these errors were encountered: