Headline
CVE-2022-35858: Security: Memory Leak in the function TEE_PopulateTransientObject · Issue #71 · Samsung/mTower
The TEE_PopulateTransientObject and __utee_from_attr functions in Samsung mTower 0.3.0 allow a trusted application to trigger a memory overwrite, denial of service, and information disclosure by invoking the function TEE_PopulateTransientObject with a large number in the parameter attrCount.
Affected components:
affected source code file: /tee/lib/libutee/tee_api_objects.c, affected functions: TEE_PopulateTransientObject and __utee_from_attr
Attack vector(s)
To exploit the vulnerability, invoke the function TEE_PopulateTransientObject and pass a large number of the parameter “attrCount”
Suggested description of the vulnerability for use in the CVE
Memory leak in TEE_PopulateTransientObject and __utee_from_attr functions in Samsung Electronics mTower v0.3.0(and earlier) allows a trusted application to trigger denial of service and information disclosure via invoking the function TEE_PopulateTransientObject with a large number of the parameter "attrCount".
Reference(s)
https://github.com/Samsung/mTower
TEE_Result TEE_PopulateTransientObject(TEE_ObjectHandle object,
Additional information
The TEE_PopulateTransientObject function takes a number “attrCount” and create an array "ua". This value is passed by TA, and TEE_PopulateTransientObject does not check its size. Then it is passed to __utee_from_attr. The __utee_from_attr function tries to copy data from “attrs” to "ua". The problem appears in the assignments in the for loop. If the attr_count is too large, “ua” will overlap the memory region of other TAs’ (tampering data such as global variables, or causing TEE crash and triggers denial of service because of illegal address dereference).
Contact