CVE-2022-38155

Vulnerability

TEE_Malloc in Samsung mTower through version 0.3.0 does not validate the len parameter before passing it to tee_user_mem_alloc. A trusted application can invoke TEE_Malloc with an excessively large value for len, leading to an attempt to allocate a huge memory chunk. The affected code is in /tee/lib/libutee/tee_api.c at line 314 [1]. This issue is present in all versions up to 0.3.0 [2].

Exploitation

To exploit this vulnerability, an attacker must have the ability to load and execute a trusted application within the TEE environment. The attacker then calls TEE_Malloc with a very large len value, such as 0xFFFFFFFF. The function does not check the size and proceeds to allocate, causing the TEE kernel to crash due to memory exhaustion or invalid allocation. No authentication or special privileges beyond running a trusted application are required [2].

Impact

Successful exploitation results in a denial of service (DoS) through a TEE kernel crash. On hardware like the Numaker-PFM-M2351, this manifests as a complete system crash of the trusted execution environment, disrupting all TEE services and potentially affecting the normal world if the TEE is responsible for critical functions [2].

Mitigation

As of the publication date (2022-08-11), no patched version has been released. The maintainers have acknowledged the issue via GitHub issue #74 [2], but no fix is available. Users should monitor the mTower repository for updates. A potential workaround is to enforce input validation on len values passed to TEE_Malloc at the caller level, but this requires modifying trusted applications.