[Samsung TV] Multiple Memory Write Vulnerabilities to Trusted Execution Environment Memory in tzdemuxerservice
Multiple vulnerabilities in the Trusted Application, tzdemuxerservice
used by Samsung Smart TVs, five of the six issues have the same root cause. When a “normal world” application is calling into the “trusted execution environment” (TEE) the parameters can be passed as either by value or by reference. In several locations teh aprameter type was not checked and so a buffer could into TEE memory instead of normal world memory leading to various memory writes into the TEE. Which is a powerful primitive and may lead to code execution.
The five locations with this vulnerability were the commands:
CMD_TZDEMUXER_CLIENT_DUMP_NORMAL_DATA
CMD_TZDEMUXER_CLIENT_DUMP_VIDEO_PACKET
CMD_TZDEMUXER_CLIENT_GET_PACKET
CMD_TZDEMUXER_CLIENT_GET_VIDEO_CODEC_INFO
CMD_TZDEMUXER_CLIENT_GET_AUDIO_CODEC_INFO
Patch
To patch these issues Samsung started enforcing that the parameter types were TEE_PARAM_TYPE_MEMREF_INOUT
which prevents the buffers from pointing into TEE memory.
The final vulnerability was that several locations did not check the return value of malloc
. Should allocation fail in some situation, it could lead to a null-deference which may be exploitable if an attacker can gain control of memory at 0
.