CVE-2022-40757

Vulnerability

A buffer access with incorrect length value vulnerability exists in the function TEE_MACComputeFinal in Samsung mTower through version 0.3.0. The function resides in the file /tee/lib/libutee/tee_api_objects.c [1]. The trusted application (TA) passes a messageLen parameter, and the implementation does not validate that this value matches the actual length of the input buffer. When an excessive messageLen is supplied, the internal memcpy operation reads beyond the intended memory region, leading to a denial of service [1][2]. The same class of bug also affects TEE_MACUpdate [1].

Exploitation

An attacker who controls a trusted application can invoke TEE_MACComputeFinal with an overly large messageLen value. No special network position or authentication beyond the ability to execute a TA is required. The excessive size causes a subsequent memcpy to copy out of bounds, which can corrupt memory or trigger a fault in the TEE kernel [1][2].

Impact

Successful exploitation causes a denial of service (DoS), crashing the trusted execution environment kernel. The disclosure indicates no privilege escalation or information disclosure, but the crash can disrupt all TEE services on the device [1].

Mitigation

A fix has been implemented in the mTower repository after version 0.3.0 [1]. Users should update to a commit that includes validation of messageLen against the actual buffer size. As of the publication date, no official patch release number has been announced; the recommended action is to apply the latest changes from the repository [2].