CVE-2022-40758

Vulnerability

The vulnerability resides in the TEE_CipherUpdate function in the Samsung mTower TEE library (through version 0.3.0). Specifically, the function does not validate the srcLen parameter provided by a trusted application (TA). When an excessive size value is passed, it results in a buffer access with incorrect length, leading to out-of-bounds memory access. The affected source code is in /tee/lib/libutee/tee_api_operations.c [1][2].

Exploitation

An attacker must be able to execute a trusted application within the TEE. The TA invokes TEE_CipherUpdate with a crafted srcLen that is larger than the actual buffer. No additional authentication is required; the attacker controls the TA input. The function then performs an incorrect-length memory operation, potentially causing a crash.

Impact

Successful exploitation can crash the TEE kernel, resulting in a denial of service (DoS) for all services relying on the TEE. While the primary impact is availability, the out-of-bounds read could also lead to information disclosure, though the description focuses on DoS.

Mitigation

As of the available references, no official patch has been released. Users of Samsung mTower versions 0.3.0 and earlier should monitor the GitHub repository [1] for updates and apply any fix when it becomes available. There is no known workaround.