CVE-2022-40760

Vulnerability

A Buffer Access with Incorrect Length Value vulnerability exists in the TEE_MACUpdate function in Samsung mTower through version 0.3.0 [1]. The function is implemented in /tee/lib/libutee/tee_api_objects.c [1]. It accepts a chunkSize parameter from the calling Trusted Application (TA) without verifying that it matches the actual size of the chunk buffer [1]. An excessive chunkSize value leads to a memcpy operation that reads or writes beyond intended bounds [1][3].

Exploitation

An attacker controlling a TA can invoke the TEE_MACUpdate function and supply an arbitrarily large chunkSize argument [1]. No additional authentication or special privileges are required beyond the ability to run a TA in the mTower environment [1]. The function passes the attacker-supplied chunkSize to utee_hash_update and later to a memcpy (via the md->state_var.buf in the TomCrypt hash header) without bounds checking [1][2][3], resulting in out-of-bounds memory access.

Impact

Successful exploitation causes a crash of the Trusted Execution Environment (TEE) kernel, leading to a Denial of Service (DoS) [1]. The entire TEE environment becomes unavailable, affecting all trusted applications and security services relying on it. No confidential data is directly exposed by this specific vulnerability, but system stability is compromised.

Mitigation

As of the reference date, no patched version has been released for mTower [1]. The issue was disclosed in September 2022, and the latest affected release is v0.3.0. The only workaround is to avoid invoking TEE_MACUpdate with untrusted chunkSize values or to apply manual input validation in any TA using the function. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.