CVE-2022-40762

Vulnerability

The vulnerability resides in the TEE_Realloc function in /tee/lib/libutee/tee_api.c of Samsung mTower through version 0.3.0. The function does not validate the newSize parameter before passing it to the underlying tee_user_mem_realloc call, enabling a trusted application to request an excessively large memory allocation [1], [2].

Exploitation

An attacker needs to be able to invoke the TEE_Realloc function from a trusted application. By calling TEE_Realloc with a very large value for the newSize parameter (e.g., a value larger than available memory), the function attempts to allocate an excessive amount of memory [1], [2]. On real IoT hardware, such as the Numaker-PFM-M2351, this causes the Trusted Execution Environment (TEE) kernel to crash [2].

Impact

Successful exploitation results in a denial of service (DoS) by crashing the TEE kernel, rendering the secure environment unavailable until a reboot. The impact is limited to availability; there is no evidence of information disclosure or privilege escalation from this vulnerability [2].

Mitigation

A fix for this vulnerability has not been released in the available references. Users of Samsung mTower versions up to 0.3.0 should apply any vendor-supplied patch when it becomes available. In the interim, trusted applications should be audited to ensure they do not call TEE_Realloc with an uncontrolled large size [2].