Stack overflow on SK_LOAD signature length field in Texas Instruments OMAP L138

An attacker must first obtain the CEK (via CVE-2022-25332) to encrypt a forged, unsigned SK_LOAD module. The attacker then supplies a module with an oversized signature field. Because the SK_LOAD routine lacks a bounds check on the signature size, the oversized signature overflows a stack buffer and overwrites a SHA256 function pointer in the secure kernel data area. This yields arbitrary code execution in secure supervisor context, fully breaking the TEE security architecture [ref_id=1].

The vulnerability resides in the SK_LOAD module loading routine within the mask ROM of the Texas Instruments OMAP L138 (secure variants) trusted execution environment. The routine lacks a bounds check on the signature size field, causing a stack overflow when a module with a sufficiently large signature field is loaded. This overflow affects secure kernel data pages, including a SHA256 function pointer in the secure kernel data area [ref_id=1].

No patch is shown in the supplied bundle. The advisory does not specify a vendor fix for this CVE; the TETRA:BURST disclosure page lists recommended mitigations for other CVEs but does not include a remediation entry for CVE-2022-25334 [ref_id=1]. Without a published fix, asset owners are advised to consult their national or sectoral CERT for guidance.