CVE-2022-40761

Vulnerability

An improper input validation vulnerability exists in the tee_obj_free function in Samsung mTower through version 0.3.0 [1][3]. The flaw, related to utee_cryp_obj_alloc, occurs when a trusted application invokes TEE_AllocateOperation with a specially crafted heap layout [3]. The affected code is in /tee/tee/tee_svc_cryp.c and /tee/tee/tee_obj.c, specifically the tee_obj_alloc and tee_obj_free functions [3].

Exploitation

An attacker needs to have a trusted application running in the TEE and must first disturb the heap layout, for example by calling TEE_AllocateOperation and TEE_Realloc with a large size [3]. Then, invoking TEE_AllocateOperation again triggers the vulnerable code path. The calloc function in tee_obj_alloc does not return a buffer with all bits zero as expected when the heap is disturbed, causing free(o->attr) to free an invalid pointer [3].

Impact

Successful exploitation crashes the TEE kernel, leading to a Denial of Service (DoS) [3]. The entire trusted execution environment becomes unavailable until the system is restarted.

Mitigation

As of the available references, no patched version has been released for this vulnerability, which affects mTower through v0.3.0 [1][2][3]. The issue is tracked in the mTower GitHub repository (issue #83). Users should monitor the project for an official fix and limit trust in applications running within the TEE to reduce risk [3].