Headline
CVE-2022-40759: Security: NULL Pointer Dereference in the function TEE_MACCompareFinal · Issue #80 · Samsung/mTower
A NULL pointer dereference issue in the TEE_MACCompareFinal function in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_MACCompareFinal with a NULL pointer for the parameter operation.
Affected components:
affected source code file: /tee/lib/libutee/tee_api_objects.c, affected functions: TEE_MACCompareFinal
Attack vector(s)
To exploit the vulnerability, invoke the function TEE_MACCompareFinal and pass a NULL pointer to the parameter "operation".
Suggested description of the vulnerability for use in the CVE
Null pointer dereference vulnerablity in TEE_MACCompareFinal function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_MACCompareFinal with a Null pointer of the parameter "operation".
Discoverer(s)/Credits
SyzTrust
Reference(s)
https://github.com/Samsung/mTower
if (operation->info.operationClass != TEE_OPERATION_MAC) {
Additional information
The TEE_MACCompareFinal function takes a pointer "operation". This value is passed by TA, and TEE_MACCompareFinal does not check whether it is a null pointer or not. Executing the statement "if (operation->info.operationClass != TEE_OPERATION_MAC)" later will crash the trusted execution environment kernel and cause a Denial of Service (DoS).
THANK YOU FOR CONTRIBUTIONS IN MTOWER TEE OS!