[Samsung TV] Multiple Memory Write Vulnerabilities to Trusted Execution Environment Memory in tzdemuxerservice

We discussed this vulnerability during Episode 98 on 09 November 2021

Multiple vulnerabilities in the Trusted Application, tzdemuxerservice used by Samsung Smart TVs, five of the six issues have the same root cause. When a “normal world” application is calling into the “trusted execution environment” (TEE) the parameters can be passed as either by value or by reference. In several locations teh aprameter type was not checked and so a buffer could into TEE memory instead of normal world memory leading to various memory writes into the TEE. Which is a powerful primitive and may lead to code execution.

The five locations with this vulnerability were the commands:

  • CMD_TZDEMUXER_CLIENT_DUMP_NORMAL_DATA
  • CMD_TZDEMUXER_CLIENT_DUMP_VIDEO_PACKET
  • CMD_TZDEMUXER_CLIENT_GET_PACKET
  • CMD_TZDEMUXER_CLIENT_GET_VIDEO_CODEC_INFO
  • CMD_TZDEMUXER_CLIENT_GET_AUDIO_CODEC_INFO

Patch To patch these issues Samsung started enforcing that the parameter types were TEE_PARAM_TYPE_MEMREF_INOUT which prevents the buffers from pointing into TEE memory.

The final vulnerability was that several locations did not check the return value of malloc. Should allocation fail in some situation, it could lead to a null-deference which may be exploitable if an attacker can gain control of memory at 0.