Headline
CVE-2022-40762: Security: Memory Allocation with Excessive Size Value in the function TEE_Realloc · Issue #82 · Samsung/mTower
A Memory Allocation with Excessive Size Value vulnerablity in the TEE_Realloc function in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_Realloc with an excessive number for the parameter len.
Affected components:
affected source code file: /tee/lib/libutee/tee_api.c, affected functions: TEE_Realloc
Attack vector(s)
To exploit the vulnerability, invoke the function TEE_Realloc and pass a large number to the parameter "len".
Suggested description of the vulnerability for use in the CVE
Memory Allocation with Excessive Size Value vulnerablity in TEE_Realloc function in Samsung Electronics mTower v0.3.0 (and earlier) allows a trusted application to trigger a Denial of Service (DoS) via invoking the function TEE_Realloc with an excessive number of the parameter "len".
Discoverer(s)/Credits
SyzTrust
Reference(s)
https://github.com/Samsung/mTower
void *TEE_Realloc(const void *buffer, uint32_t newSize)
Additional information
The function TEE_Realloc does not check the size of chunk to realloc. Executing the statement “tee_user_mem_realloc” with an excessive size value on a real IoT hardware (such as Numaker-PFM-M2351) will crash the trusted execution environment kernel and cause a Denial of Service (DoS).
THANK YOU FOR CONTRIBUTIONS IN MTOWER TEE OS!